Description
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.
Published: 2026-02-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

ZITadel, an open source identity management platform, issued opaque OIDC access tokens in a v2 format that were truncated to 80 characters. Because the system ignored the user ID part of the token payload during verification, truncated tokens were still accepted as valid. While the missing user ID could theoretically suggest an authentication flaw, the vendor states that the issue is not considered exploitable and does not grant any unauthorized privileges.

Affected Systems

The vulnerability affects Zitadel versions starting from 2.31.0 up to, but not including, 3.4.7 and 4.11.0. Systems running any of these unpatched releases should be considered potentially exposed to the issue.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level, and the low EPSS score (<1%) suggests an unlikely exploit. The vulnerability is not listed in CISA’s KEV catalog, and no public exploits have been observed. The likely attack vector involves an attacker crafting a truncated token and presenting it to a Zitadel deployment that has not applied the 3.4.7 or 4.11.0 patch. Because the bug does not grant additional privileges, it is considered non-exploitable under current information.

Generated by OpenCVE AI on April 18, 2026 at 10:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zitadel to version 3.4.7 or later (4.11.0 or newer) so that the user ID is verified during token validation.
  • If your deployment configuration allows, disable the acceptance of truncated tokens to avoid relying on this validation behavior.
  • Monitor authentication logs for anomalous truncated tokens and investigate any irregularities.

Generated by OpenCVE AI on April 18, 2026 at 10:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6mq3-xmgp-pjm5 ZITADEL's truncated opaque tokens are still valid
History

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Thu, 26 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.
Title ZITADEL's truncated opaque tokens are still valid
Weaknesses CWE-302
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T17:00:29.815Z

Reserved: 2026-02-24T02:32:39.801Z

Link: CVE-2026-27840

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T01:16:25.103

Modified: 2026-03-05T16:04:57.103

Link: CVE-2026-27840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses