CVE-2026-56664
Deferred Deferred - Pending Action

JWT Session Validation Bypass in ZITADEL

Vulnerability report for CVE-2026-56664, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zitadel zitadel From 3.0.0 (inc) to 3.4.12 (exc)
zitalel zitalel to 4.15.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows arbitrarily old JWT tokens that omit the 'iat' (issued-at) claim to bypass token freshness validation, potentially enabling unauthorized access with stale tokens.

This behavior violates the OIDC Core 1.0 specification, which mandates strict session expiration handling.

While the provided information does not explicitly mention GDPR, HIPAA, or other regulatory standards, the acceptance of stale tokens could lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations that require strict access controls and session management.

Therefore, this vulnerability could negatively affect compliance with standards that mandate secure authentication and session management by allowing potentially unauthorized or prolonged access.

Executive Summary

This vulnerability exists in ZITADEL's external JWT Identity Provider validation where the system skips the maximum token age freshness check if the incoming token does not include the 'iat' (issued-at) claim.

Because of this, arbitrarily old tokens from a trusted issuer can be accepted indefinitely, bypassing the intended expiration and freshness validations.

The issue arises because the validation only checked the 'exp' and 'iat' claims if they were explicitly set, allowing tokens without these claims to pass authentication.

This vulnerability was fixed by enforcing mandatory validation of both 'exp' and 'iat' claims, rejecting tokens that lack these claims or have invalid values.

Impact Analysis

This vulnerability allows an attacker to reuse arbitrarily old JWT tokens that lack the 'iat' claim to gain unauthorized access.

Since the system skips the freshness check for such tokens, attackers can bypass session expiration controls and authenticate indefinitely with stale tokens.

The impact includes potential unauthorized access to protected resources or services that rely on ZITADEL for identity management.

Exploitation requires low privileges and no user interaction, making it a moderate security risk.

Detection Guidance

This vulnerability involves JWT tokens missing the 'iat' (issued-at) claim, which allows arbitrarily old tokens to bypass freshness checks. To detect this on your system, you should inspect JWT tokens used for authentication and verify whether they include the 'iat' claim.

You can decode JWT tokens and check their claims using command-line tools such as 'jq' and 'base64'. For example, to decode a JWT token and inspect its payload:

  • Extract the payload part of the JWT (the second part, base64 encoded):
  • echo '<JWT_TOKEN>' | cut -d '.' -f2 | base64 --decode | jq '.'

Look for the presence of the 'iat' claim in the decoded JSON output. Tokens missing this claim are vulnerable to this issue.

Additionally, monitoring authentication logs for acceptance of tokens without 'iat' claims or unusually old tokens can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade ZITADEL to a fixed version: 3.4.12 or 4.15.2 or later, where tokens without the 'iat' claim are explicitly rejected.

If immediate upgrading is not possible, ensure that the upstream Identity Provider includes the 'iat' claim in all signed JWT tokens to enforce token freshness validation.

Review and enforce strict validation of JWT tokens in your authentication flow, rejecting tokens that lack required claims such as 'iat' and 'exp'.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56664. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart