CVE-2026-27840
published 2026-02-26CVE-2026-27840: ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2…
PriorityP421medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.14%
3.9th percentile
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `:`. v2 tokens distinguished further where the `token_id` is of the format `v2_-at_`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20260216092519-feab8e1fa371 | 1.80.0-v2.20.0.20260216092519-feab8e1fa371 |
| github.com | zitadel_zitadel | 2.31.0 – 2.71.19 | — |
| github.com | zitadel_zitadel | >= 3.0.0 < 3.4.7 | 3.4.7 |
| github.com | zitadel_zitadel | >= 4.0.0 < 4.11.0 | 4.11.0 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | 2.31.0 – 2.71.19 | — |
| zitadel | zitadel | >= 3.0.0 < 3.4.7 | 3.4.7 |
| zitadel | zitadel | >= 4.0.0 < 4.11.0 | 4.11.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel
osv·2026-03-10
CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel
ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel
ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v3.0.0 before v3.4.7; github.com/zitadel/zitadel from v4.0.0 before v4.11.0.
GHSA
ZITADEL's truncated opaque tokens are still valid
ghsa·2026-02-27
CVE-2026-27840 [MEDIUM] CWE-302 ZITADEL's truncated opaque tokens are still valid
ZITADEL's truncated opaque tokens are still valid
### Summary
Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.
ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade.
The cleartext payload has a format of `:`. v2 tokens distinguished further where the `token_id` is of the format `v2_-at_`. This is an example of such a cleartext: `V2_354201447279099906-at_354201447279165442:354201364702363650`
### Impact
V1 token authZ/N session data is retrieved from the database usin
OSV
ZITADEL's truncated opaque tokens are still valid
osv·2026-02-27
CVE-2026-27840 [MEDIUM] ZITADEL's truncated opaque tokens are still valid
ZITADEL's truncated opaque tokens are still valid
### Summary
Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.
ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade.
The cleartext payload has a format of `:`. v2 tokens distinguished further where the `token_id` is of the format `v2_-at_`. This is an example of such a cleartext: `V2_354201447279099906-at_354201447279165442:354201364702363650`
### Impact
V1 token authZ/N session data is retrieved from the database usin
No detection rules found.
No public exploits indexed.
2026-02-26
Published