2 matches found
CVE-2026-56664
ZITADEL’s external JWT Identity Provider validation (internal/idp/providers/jwt/session.go) did not enforce maximum token age (missing iat) in tokens, allowing arbitrarily old tokens from a trusted issuer to pass authentication. Affected: ZITADEL core platform; vulnerable code path in the JWT IdP...
CVE-2026-55669
CVE-2026-55669 affects ZITADEL: the external JWT Identity Provider failed to validate the audience (aud) claim, accepting a token signed for a different relying party. The issue, affecting ZITADEL’s JWT IdP implementation, is mitigated by requiring audience validation and is fixed in versions 3.4...