CVE-2026-55672
Deferred Deferred - Pending Action

OAuth2 Token Misuse in ZITADEL

Vulnerability report for CVE-2026-55672, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 3.4.12 (exc)
zitadel zitadel From 3.0.0 (inc) to 4.15.2 (exc)
zitadel zitadel From 3.0.0 (inc) to 3.4.12 (exc)
zitalel zitalel to 4.15.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects ZITADEL's OAuth2 and OpenID Connect (OIDC) implementations, specifically in the CodeExchange, RefreshToken, and device token flows. Prior to versions 3.4.12 and 4.15.2, the system failed to verify that the client requesting a token matched the client that originally initiated the authorization flow. This means that intercepted authorization codes or refresh tokens could be exchanged by a different client, allowing unauthorized token issuance.

The root cause is missing client_id binding validation, which violates the OAuth2 specification (RFC 6749 Section 4.1.3) that requires ensuring the authorization code was issued to the authenticated client. This flaw can be exploited if an attacker intercepts tokens through external vulnerabilities such as cross-site scripting (XSS), referrer leakage, or network interception.

Impact Analysis

This vulnerability can lead to unauthorized access by allowing attackers to exchange intercepted authorization codes or refresh tokens under a different client identity. This can result in persistent unauthorized access or cross-tenant misuse in multi-tenant environments.

The impact includes compromise of confidentiality and integrity of user sessions or data, as attackers could impersonate legitimate clients without proper authorization checks. The vulnerability has a high severity score (CVSS 7.4) due to these potential impacts.

Detection Guidance

This vulnerability can be detected by monitoring OAuth2 and OIDC token exchange and refresh token flows for mismatched client_id values. Specifically, attempts to exchange authorization codes or refresh tokens where the client_id in the request does not match the client_id that initiated the authorization flow indicate exploitation attempts.

The updated ZITADEL system returns error messages such as "client_id does not correspond to the client_id in the authorization request" or "client_id does not correspond to the client_id in the refresh token" when such mismatches occur.

To detect this on your system, you can review logs for these specific error messages or anomalous token exchange requests with differing client_ids.

While no explicit commands are provided in the resources, you can use log inspection commands such as:

  • grep -i 'client_id does not correspond' /path/to/zitadel/logs/*
  • grep -E 'token exchange|refresh token' /path/to/zitadel/logs/* | grep -v 'client_id matches'

Additionally, monitoring network traffic for OAuth2 token exchange requests where the client_id parameter differs from expected values may help detect exploitation attempts.

Mitigation Strategies

The primary immediate mitigation step is to upgrade ZITADEL to a fixed version: 3.4.12 or 4.15.2, where the client_id verification during code exchange and refresh token flows has been implemented.

Additional mitigation measures include:

  • Enforce the use of PKCE (Proof Key for Code Exchange) to partially mitigate code injection attacks.
  • Minimize the lifespan of refresh tokens to reduce the window of opportunity for token misuse.
  • Monitor logs for suspicious token exchange attempts with mismatched client_ids and respond accordingly.
Compliance Impact

The vulnerability in ZITADEL's OAuth2 and OIDC flows allows intercepted authorization codes or refresh tokens to be exchanged under a different client due to missing client_id binding validation. This flaw can lead to unauthorized token issuance, resulting in potential unauthorized access to sensitive data.

Such unauthorized access and token misuse can impact confidentiality and integrity of user data, which are critical requirements under common standards and regulations like GDPR and HIPAA. Failure to properly authenticate and authorize clients may lead to data breaches or cross-tenant data exposure in multi-tenant environments, thereby violating compliance obligations related to data protection and access control.

Mitigations such as upgrading to patched versions, enforcing PKCE, and minimizing refresh token lifespans help reduce the risk and support compliance efforts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart