Description
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted by ZITADEL. This issue is fixed in versions 3.4.12 and 4.15.2.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-g5h5-m4hm-xjrr | ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider |
References
History
Fri, 10 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Zitadel
Zitadel zitadel |
|
| Vendors & Products |
Zitadel
Zitadel zitadel |
Fri, 10 Jul 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted by ZITADEL. This issue is fixed in versions 3.4.12 and 4.15.2. | |
| Title | ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider | |
| Weaknesses | CWE-346 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T18:16:52.558Z
Reserved: 2026-06-17T00:05:03.777Z
Link: CVE-2026-55669
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T18:30:16Z
Weaknesses
-
CWE-346
Origin Validation Error
Github GHSA