CVE-2026-56664 in ZITADEL
Summary
by MITRE • 07/10/2026
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability affects ZITADEL identity management platform where external JWT Identity Provider validation contains a critical flaw in the session handling mechanism. This weakness exists in the internal/idp/providers/jwt/session.go file and specifically impacts versions prior to 3.4.12 and 4.15.2, creating a security gap that allows malicious actors to exploit authentication bypass opportunities. The issue stems from improper validation logic that fails to enforce token freshness requirements when the optional iat (issued at) claim is missing from incoming JWT tokens.
The technical flaw manifests when ZITADEL processes JWT tokens from trusted external identity providers without properly validating their age constraints. Normally, JWT tokens should include an iat claim to establish when they were issued, enabling systems to enforce maximum token age policies and prevent the use of stale credentials. However, the vulnerability allows tokens lacking this claim to bypass the freshness check entirely, effectively permitting arbitrarily old tokens to authenticate successfully. This represents a direct violation of security best practices for session management and credential validation, as it removes the temporal integrity checks that are fundamental to preventing replay attacks and unauthorized access.
The operational impact of this vulnerability is significant as it undermines the core authentication mechanisms within ZITADEL's identity provider framework. Attackers could leverage this weakness by obtaining old JWT tokens from compromised or leaked credentials and using them indefinitely to gain unauthorized access to systems protected by ZITADEL. The vulnerability particularly affects environments where external identity providers are trusted but may have been compromised, as the lack of token age validation removes a crucial defense layer against credential reuse attacks. This issue directly relates to CWE-345 Insufficient Verification of Data Authenticity and CWE-312 Cleartext Storage of Sensitive Information, as it allows for the acceptance of potentially compromised credentials without proper freshness verification.
The mitigation strategy involves upgrading to ZITADEL versions 3.4.12 or 4.15.2 where the validation logic has been corrected to properly enforce maximum token age checks regardless of whether the iat claim is present in incoming JWT tokens. Security administrators should also implement additional monitoring and logging around authentication events to detect potential exploitation attempts. Organizations using older versions should consider implementing compensating controls such as stricter external identity provider access policies and enhanced session management configurations. From an ATT&CK perspective, this vulnerability maps to T1566.002 Phishing: Spearphishing Attachments and T1078 Valid Accounts, as it enables attackers to leverage legitimate but stale credentials for persistent access to systems. The fix ensures compliance with security standards requiring proper token validation and temporal integrity checking in identity management systems.