CVE-2026-56665
Deferred Deferred - Pending Action

JWT Token Expiration Bypass in ZITADEL

Vulnerability report for CVE-2026-56665, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 4.15.1 (inc)
zitadel zitadel 3.4.12
zitadel zitadel 4.15.2
zitalel zitalel to 4.15.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows tokens without an expiration claim to be accepted indefinitely, which violates the OIDC Core 1.0 specification requiring strict enforcement of session expiration.

This flaw can lead to unauthorized permanent access, increasing the risk of data exposure or misuse.

Such unauthorized access and insufficient session expiration controls can negatively impact compliance with standards and regulations like GDPR and HIPAA, which mandate strict access controls and timely revocation of credentials to protect personal and sensitive data.

Therefore, this vulnerability undermines the ability to enforce proper session management and access control policies required by these regulations.

Detection Guidance

This vulnerability involves JWT tokens that lack the 'exp' (expiration) claim, causing the expiration check to be skipped. To detect this on your system, you should inspect JWT tokens issued or accepted by your ZITADEL instance to verify if they include the 'exp' claim.

You can decode JWT tokens using command-line tools such as 'jwt-cli' or 'jq' to check for the presence of the 'exp' claim in the payload.

  • Use a command like: `echo '<jwt_token>' | cut -d '.' -f2 | base64 --decode | jq '.'` to decode the JWT payload and check for the 'exp' field.
  • Monitor logs or token issuance processes to identify tokens missing the 'exp' claim.

Since the vulnerability is specific to versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 of ZITADEL, verifying your installed version can also help detect if you are at risk.

Executive Summary

This vulnerability exists in ZITADEL's external JWT Identity Provider implementation where the expiration check for incoming JWT tokens is skipped if the token does not include the 'exp' (expiration) claim.

Because of this, tokens from trusted issuers that lack the expiration claim are treated as valid indefinitely, allowing attackers to gain permanent access without automatic expiration or revocation.

This behavior violates the OIDC Core 1.0 specification, which requires strict enforcement of session expiration.

Impact Analysis

The vulnerability allows attackers to reuse old or otherwise expired session tokens indefinitely if those tokens lack the expiration claim.

This can lead to unauthorized access to systems or data because the tokens are accepted without automatic expiration or revocation.

Since the attack complexity is high but requires only low privileges and no user interaction, it poses a moderate security risk.

Mitigation Strategies

The primary mitigation is to upgrade ZITADEL to version 3.4.12 or 4.15.2 or later, where the vulnerability is fixed by rejecting tokens missing the 'exp' claim.

If an immediate upgrade is not possible, configure your upstream Identity Provider to ensure that all signed JWT tokens include the 'exp' (expiration) claim to enforce token expiration.

These steps help prevent tokens without expiration from being accepted indefinitely, reducing the risk of unauthorized permanent access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart