CVE-2026-27840
Received Received - Intake
Opaque Token Validation Flaw in ZITADEL Identity Platform

Publication date: 2026-02-26

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-05
Generated
2026-05-07
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27840
EUVD
EUVD-2026-8789
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zitadel zitadel From 2.31.0 (inc) to 2.71.19 (inc)
zitadel zitadel From 3.0.0 (inc) to 3.4.7 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-302 The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-27840 is a vulnerability in ZITADEL's handling of opaque OpenID Connect (OIDC) access tokens in the version 2 (v2) format. Specifically, when these tokens are truncated to 80 characters, the user ID portion of the token's cleartext payload is omitted, but the backend still accepts the truncated token as valid."}, {'type': 'paragraph', 'content': 'ZITADEL uses symmetric AES encryption for opaque tokens, where the cleartext payload concatenates identifiers such as token ID and user ID. There are two token payload versions: v1 tokens (no longer created but still verified) and v2 tokens. For v2 tokens, the token ID includes an OIDC session ID and an access token ID, and the user ID is appended after a colon.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because truncated v2 tokens missing the user ID are still accepted by the backend. This happens because v2 token authorization retrieves session data using only the OIDC session ID and access token ID, ignoring the user ID from the token. Although this behavior may look awkward, it is not considered exploitable.'}, {'type': 'paragraph', 'content': 'The issue is fixed in patched versions by verifying the user ID from the token against the session data in the database, preventing acceptance of truncated tokens.'}] [2]


How can this vulnerability impact me? :

This vulnerability allows truncated v2 opaque tokens missing the user ID to be accepted as valid by the backend. However, it is not considered exploitable and does not allow unauthorized data access or significant integrity compromise.

The impact is limited to potentially awkward or unexpected token acceptance behavior, which might cause confusion or minor integrity concerns but does not lead to a breach of confidentiality or availability.

The CVSS v3.1 base score is 4.3, indicating a moderate severity with low attack complexity and no privileges required, but user interaction is needed.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves acceptance of truncated opaque OIDC v2 tokens limited to 80 characters, which still validate despite missing the user ID portion. Detection would involve identifying such truncated tokens in use or logs.

Since the tokens are opaque and encrypted, direct inspection on the network may be difficult. However, monitoring authentication logs or token validation logs for tokens exactly 80 characters long or truncated tokens missing the user ID portion could help detect this issue.

No specific commands or detection tools are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate mitigation is to upgrade Zitadel to a patched version where this vulnerability is fixed.

  • Upgrade to Zitadel version 4.11.0 or later if using the 4.x series.
  • Upgrade to Zitadel version 3.4.7 or later if using the 3.x or 2.x series.

The patch enforces verification of the user ID from the token against session data in the database, preventing acceptance of truncated tokens.

No known workarounds are available.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart