CVE-2026-56668
Deferred Deferred - Pending Action

OAuth2 Token Exchange Privilege Escalation in ZITADEL

Vulnerability report for CVE-2026-56668, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
zitadel zitadel From 4.0.0 (inc) to 4.15.2 (inc)
zitadel zitadel From 3.0.0 (inc) to 3.4.12 (inc)
zitadel zitadel 4.15.3
zitadel zitadel 3.4.12

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56668 is a vulnerability in ZITADEL's OAuth2 Token Exchange endpoint that allows an authenticated user or client to exchange a low-privilege access token for a token with elevated permissions at a different application.

The root cause is that ZITADEL does not verify whether the subject token belongs to the client requesting the exchange, nor does it restrict the requested scopes to those within the original token's scopes.

This flaw enables attackers with access to a low-privilege token to gain unauthorized elevated permissions, potentially accessing administrative roles or sensitive data in other applications.

The vulnerability affects ZITADEL versions 4.0.0 through 4.15.2 and 3.0.0 through 3.4.12 and has been fixed in version 4.15.3.

Impact Analysis

This vulnerability can allow an attacker with a low-privilege token to escalate their permissions by exchanging it for a token with higher privileges at another application.

As a result, attackers could gain administrative roles, access sensitive data, or perform unauthorized actions that violate intended authorization and separation policies.

The risk is particularly high for public clients that do not require client secrets, making it easier for attackers to exploit the flaw.

Overall, this can lead to significant confidentiality and integrity breaches within your identity management and connected applications.

Detection Guidance

This vulnerability involves the OAuth2 Token Exchange endpoint allowing a low-privilege token to be exchanged for elevated permissions without proper validation. Detection would involve monitoring OAuth2 Token Exchange requests for unusual token exchanges where a token is exchanged across clients or where requested scopes exceed those originally granted.

Specifically, you can look for token exchange requests using the grant type urn:ietf:params:oauth:grant-type:token-exchange and analyze if the subject token belongs to the requesting client and if the requested scopes are within the original token's scopes.

Commands or methods to detect this might include:

  • Inspect OAuth2 token exchange logs for requests with grant_type=urn:ietf:params:oauth:grant-type:token-exchange.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze OAuth2 token exchange traffic for suspicious scope escalation or cross-client token exchanges.
  • Query your identity management logs or API gateway logs for token exchange requests where the subject token client ID does not match the requesting client ID.
  • Example command to filter logs (assuming logs contain JSON entries):
  • grep 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' /path/to/logfile | jq '.requested_scopes, .subject_token_client_id, .requesting_client_id'

Note: The exact commands depend on your logging and monitoring setup. There is no explicit command provided in the resources.

Mitigation Strategies

Immediate mitigation steps for CVE-2026-56668 include upgrading ZITADEL to version 4.15.3 or later, where the vulnerability is fixed by adding client and scope validation in the OAuth2 Token Exchange endpoint.

If upgrading immediately is not possible, alternative mitigations include disabling the Token Exchange feature flag or removing the token exchange grant type from your configuration to prevent exploitation.

These steps prevent unauthorized token exchanges that could lead to privilege escalation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart