Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider (CVE-2026-56664)

0
Medium
Published: 06/18/2026 (06/18/2026, 13:52:21 UTC)
Source: GCVE Database
Product: github.com/zitadel/zitadel

Description

ZITADEL's external JWT Identity Provider implementation has a vulnerability where tokens missing the 'iat' (issued at) claim bypass the token freshness check, allowing reuse of arbitrarily old tokens. This flaw affects versions 3.0.0 through 3.4.11 and 4.0.0 through 4.15.1. The issue is fixed in versions 3.4.12 and 4.15.2, which reject tokens lacking the 'iat' claim. Without the 'iat' claim, the maximum age freshness validation is skipped, compromising session integrity.

CVSS v3.1

Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected software

Goghsa
github.com/zitadel/zitadel
Affected versions
<1.80.0-v2.20.0.20260615122908-fad02c6d9f45

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 19:27:54 UTC

Technical Analysis

A token lifecycle validation vulnerability exists in ZITADEL's external JWT IdP provider where the maximum token age freshness check is bypassed if the token omits the 'iat' claim. ZITADEL enforces a 1-hour maximum token age based on 'iat', but if 'iat' is missing, the check is skipped, allowing arbitrarily old tokens to authenticate successfully. This violates OIDC Core 1.0 specifications requiring strict session expiration enforcement. The vulnerability affects ZITADEL versions 3.0.0 through 3.4.11 and 4.0.0 through 4.15.1. The issue is fixed in versions 3.4.12 and 4.15.2, which explicitly reject tokens missing the 'iat' claim.

Potential Impact

An attacker with access to a stale JWT token that lacks the 'iat' claim can reuse this token indefinitely to authenticate, bypassing the intended 1-hour maximum token age restriction. This compromises session integrity by allowing potentially expired sessions to remain valid, increasing the risk of unauthorized access.

Mitigation Recommendations

A fix is available. Upgrade ZITADEL to version 3.4.12 or later, or 4.15.2 or later, which explicitly reject tokens missing the 'iat' claim. If immediate upgrade is not feasible, ensure the upstream Identity Provider includes the 'iat' claim in all signed JWTs to prevent acceptance of stale tokens.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-wxg7-w2v3-w38g
Osv Schema Version
1.4.0
Aliases
["CVE-2026-56664"]
Ecosystems
["Go"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a5bd3192a4a8d59892850b3

Added to database: 07/18/2026, 19:25:13 UTC

Last enriched: 07/18/2026, 19:27:54 UTC

Last updated: 07/18/2026, 21:23:35 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses