CVE-2026-56668 in ZITADELinfo

Summary

by MITRE • 07/10/2026

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in ZITADEL's OAuth2 Token Exchange endpoint represents a critical authorization flaw that undermines the security of identity management operations. This issue affects versions prior to 4.15.3 and specifically targets the urn:ietf:params:oauth:grant-type:token-exchange grant type implementation. The flaw stems from insufficient validation mechanisms within the token exchange process, where the system fails to enforce proper scope boundaries and client authentication checks during token transformation operations.

The technical implementation of this vulnerability allows malicious actors to exploit weak access control measures by enabling unauthorized scope escalation through token manipulation. When a client requests token exchange using the specified grant type, the system does not validate whether the subject token originates from the requesting client application or whether the requested scopes fall within the original token's authorized permissions. This absence of verification creates a path for privilege escalation where low-privilege tokens can be exchanged for elevated access rights at other applications within the same ecosystem.

From an operational impact perspective, this vulnerability poses significant risks to organizations relying on ZITADEL for identity management. Attackers could leverage this weakness to gain unauthorized access to systems and resources that should only be accessible with higher privileges. The flaw essentially allows for lateral movement within the security boundaries of applications protected by ZITADEL's OAuth2 implementation, potentially leading to data breaches, unauthorized system modifications, or complete compromise of protected services.

The vulnerability aligns with CWE-284, which addresses improper access control in software systems, and specifically relates to inadequate authorization checks during token exchange operations. This issue also maps to ATT&CK technique T1566, representing credential manipulation through token-based attacks that exploit weaknesses in authentication systems. Organizations using affected versions should immediately implement mitigations including mandatory access control enforcement for token exchanges, scope validation mechanisms, and comprehensive monitoring of token exchange activities.

The fix implemented in version 4.15.3 addresses these concerns by introducing proper client verification procedures and scope boundary checks during the token exchange process. This update ensures that the system validates both the authenticity of the subject token against the requesting client and confirms that requested scopes remain within the original token's authorized boundaries, thereby preventing unauthorized privilege escalation attacks. Security teams should prioritize upgrading to this patched version while implementing additional monitoring controls to detect potential exploitation attempts.

Responsible

GitHub M

Reservation

06/22/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!