Zitadel up to 2.71.19/3.4.6/4.10.x Access Token token_id authentication bypass by assumed-immutable data

Summaryinfo

A vulnerability was found in Zitadel up to 2.71.19/3.4.6/4.10.x and classified as problematic. This affects an unknown part of the component Access Token Handler. Executing a manipulation of the argument token_id can lead to authentication bypass by assumed-immutable data. This vulnerability is tracked as CVE-2026-27840. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic was found in Zitadel up to 2.71.19/3.4.6/4.10.x. This vulnerability affects an unknown code of the component Access Token Handler. The manipulation of the argument token_id with an unknown input leads to a authentication bypass by assumed-immutable data vulnerability. The CWE definition for the vulnerability is CWE-302. The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. As an impact it is known to affect integrity. CVE summarizes:

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.

The advisory is shared for download at github.com. This vulnerability was named CVE-2026-27840 since 02/24/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available.

Upgrading to version 3.4.7 or 4.11.0 eliminates this vulnerability. The upgrade is hosted for download at github.com.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-8789). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.71.0
• 2.71.1
• 2.71.2
• 2.71.3
• 2.71.4
• 2.71.5
• 2.71.6
• 2.71.7
• 2.71.8
• 2.71.9
• 2.71.10
• 2.71.11
• 2.71.12
• 2.71.13
• 2.71.14
• 2.71.15
• 2.71.16
• 2.71.17
• 2.71.18
• 2.71.19
• 3.4.0
• 3.4.1
• 3.4.2
• 3.4.3
• 3.4.4
• 3.4.5
• 3.4.6
• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8
• 4.9
• 4.10

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion