CVE-2026-55669
published 2026-06-18CVE-2026-55669: ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider ### Summary An authentication bypass vulnerability was discovered in ZITADEL's external…
medium
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider ### Summary An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider (IdP) implementation. When validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer (`iss`), but it fails to validate the audience (`aud`) claim. As a result, any validly signed token from the trusted issuer will be accepted. An attacker who is a legitimate user of a completely separate service sharing the same enterprise Identity Provider can intercept or present their token for that service to ZITADEL, successfully authenticating as that user without authorization. ### Impact In a controlled enterprise environment where Identity Providers are explicitly managed, the operational risk is localized. Exploitation requires that an attacker already possesses a valid standard user session token from a shared, trusted issuer intended for an entirely different relying party, limiting the vector to specific, rare cross-service setups where trust boundaries overlap. ### Affected Versions Systems running one of the following versions are affected: * **4.x**: `4.0.0` through `4.11.0` (including RC versions) * **3.x**: `3.0.0` through `3.4.11` (including RC versions) ### Patches The vulnerability has been addressed in the latest releases, where a required audience can be set in the IdP configuration. Once provided, audience validation will be enforced. * **4.x**: Upgrade to $\ge$ [4.15.2](https://github.com/zitadel/zitadel/releases/tag/v4.15.2) * **3.x**: Upgrade to $\ge$ [3.4.12](https://github.com/zitadel/zitadel/releases/tag/v3.4.12) ### Workarounds The recommended solution is to update ZITADEL to a patched version. If an immediate upgrade is not possible, you can mitigate the risk at the infrastructure layer: 1. **At the IdP:** Ensure the external Identity Provider issues scoped tokens with highly unique, n
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20260615132747-d184e976fc79 | 1.80.0-v2.20.0.20260615132747-d184e976fc79 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published