CVE-2026-56665 in ZITADEL
Summary
by MITRE • 07/10/2026
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability affects ZITADEL identity management platform versions prior to 3.4.12 and 4.15.2, specifically impacting the external JWT Identity Provider validation mechanism. This flaw resides in the internal/idp/providers/jwt/session.go file where the system fails to properly handle token expiration when the exp claim is missing from incoming JWT tokens. The issue occurs during authentication flows where ZITADEL validates external identity providers using JWT tokens, creating a security gap that allows tokens without explicit expiration timestamps to be treated as perpetually valid.
The technical flaw represents a critical weakness in the token validation logic where the system does not enforce proper expiration handling for JWT tokens lacking the exp claim. According to CWE-290, this vulnerability falls under authentication bypass due to insecure token handling, while ATT&CK technique T1566.001 covers the use of valid accounts for initial access. When a JWT token from a trusted issuer omits the expiration claim, the system incorrectly treats it as valid indefinitely, bypassing normal session lifecycle management and potentially allowing persistent unauthorized access.
The operational impact of this vulnerability is significant as it creates a persistent security risk where authenticated sessions could remain active beyond their intended lifespan. Attackers who can obtain a JWT token from a trusted issuer without an expiration claim could maintain access to the system indefinitely, effectively creating a backdoor that bypasses normal session timeout mechanisms. This weakness undermines the principle of least privilege and could allow for prolonged unauthorized access to protected resources within the ZITADEL environment.
The fix implemented in versions 3.4.12 and 4.15.2 addresses this by ensuring proper expiration handling regardless of whether the exp claim is present in incoming JWT tokens. The mitigation strategy enforces that all validated tokens must have appropriate expiration windows, preventing the acceptance of tokens that lack explicit expiration timestamps. Organizations should immediately upgrade to these patched versions and conduct thorough security reviews of existing sessions that may have been affected by this vulnerability during the vulnerable time period. The fix aligns with industry best practices for token management and reinforces proper session lifecycle controls as outlined in NIST SP 800-63B authentication framework requirements.