GHSA-G5H5-M4HM-XJRR

Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52
VLAI
Summary
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
Details

Summary

An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.

When validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer (iss), but it fails to validate the audience (aud) claim.

As a result, any validly signed token from the trusted issuer will be accepted. An attacker who is a legitimate user of a completely separate service sharing the same enterprise Identity Provider can intercept or present their token for that service to ZITADEL, successfully authenticating as that user without authorization.

Impact

In a controlled enterprise environment where Identity Providers are explicitly managed, the operational risk is localized. Exploitation requires that an attacker already possesses a valid standard user session token from a shared, trusted issuer intended for an entirely different relying party, limiting the vector to specific, rare cross-service setups where trust boundaries overlap.

Affected Versions

Systems running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.11.0 (including RC versions)
  • 3.x: 3.0.0 through 3.4.11 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases, where a required audience can be set in the IdP configuration. Once provided, audience validation will be enforced.

Workarounds

The recommended solution is to update ZITADEL to a patched version.

If an immediate upgrade is not possible, you can mitigate the risk at the infrastructure layer:

  1. At the IdP: Ensure the external Identity Provider issues scoped tokens with highly unique, non-overlapping audience values that cannot be misconstrued by separate service deployments.
  2. At the Perimeter: Deploy a reverse proxy, API gateway, or Web Application Firewall (WAF) layer in front of ZITADEL to inspect incoming identity tokens and explicitly drop requests where the aud field does not strictly match ZITADEL's deployment target.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Android-Login-Analysis, Jason Zhou and Pedro Giglioti for reporting this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.80.0-v2.20.0.20260615132747-d184e976fc79"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:52:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn authentication bypass vulnerability was discovered in ZITADEL\u0027s external JWT Identity Provider (IdP) implementation.\n\nWhen validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token\u0027s cryptographic signature and issuer (`iss`), but it fails to validate the audience (`aud`) claim.\n\nAs a result, any validly signed token from the trusted issuer will be accepted. An attacker who is a legitimate user of a completely separate service sharing the same enterprise Identity Provider can intercept or present their token for that service to ZITADEL, successfully authenticating as that user without authorization.\n\n### Impact\n\nIn a controlled enterprise environment where Identity Providers are explicitly managed, the operational risk is localized. Exploitation requires that an attacker already possesses a valid standard user session token from a shared, trusted issuer intended for an entirely different relying party, limiting the vector to specific, rare cross-service setups where trust boundaries overlap.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n\n* **4.x**: `4.0.0` through `4.11.0` (including RC versions)\n* **3.x**: `3.0.0` through `3.4.11` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases, where a required audience can be set in the IdP configuration. Once provided, audience validation will be enforced.\n\n* **4.x**: Upgrade to $\\ge$ [4.15.2](https://github.com/zitadel/zitadel/releases/tag/v4.15.2)\n* **3.x**: Upgrade to $\\ge$ [3.4.12](https://github.com/zitadel/zitadel/releases/tag/v3.4.12)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version.\n\nIf an immediate upgrade is not possible, you can mitigate the risk at the infrastructure layer:\n\n1. **At the IdP:** Ensure the external Identity Provider issues scoped tokens with highly unique, non-overlapping audience values that cannot be misconstrued by separate service deployments.\n2. **At the Perimeter:** Deploy a reverse proxy, API gateway, or Web Application Firewall (WAF) layer in front of ZITADEL to inspect incoming identity tokens and explicitly drop requests where the `aud` field does not strictly match ZITADEL\u0027s deployment target.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to [Android-Login-Analysis](https://github.com/Android-Login-Analysis), Jason Zhou and [Pedro Giglioti](https://github.com/Punisher100) for reporting this vulnerability.",
  "id": "GHSA-g5h5-m4hm-xjrr",
  "modified": "2026-06-18T13:52:24Z",
  "published": "2026-06-18T13:52:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g5h5-m4hm-xjrr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/d184e976fc799a383bb6ef9f32c3bae11a3ef85f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": " ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…