2 matches found
CVE-2026-56664
ZITADEL’s external JWT Identity Provider validation (internal/idp/providers/jwt/session.go) did not enforce maximum token age (missing iat) in tokens, allowing arbitrarily old tokens from a trusted issuer to pass authentication. Affected: ZITADEL core platform; vulnerable code path in the JWT IdP...
GO-2026-5732 ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider in github.com/zitadel/zitadel
ZITADEL: Missing Token Lifecyle Validation exp and iat in JWT IdP Provider in github.com/zitadel/zitadel...