Lucene search
K

10 matches found

OSV
OSV
added 2026/02/27 9:22 p.m.5 views

GHSA-6MQ3-XMGP-PJM5 ZITADEL's truncated opaque tokens are still valid

Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different...

4.3CVSS5.8AI score0.00142EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/02/27 9:22 p.m.8 views

ZITADEL's truncated opaque tokens are still valid

Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different...

4.3CVSS5.8AI score0.00142EPSS
Exploits0References7Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/27 4:13 a.m.8 views

CVE-2026-27840

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

4.3CVSS5.5AI score0.00142EPSS
Exploits0References1
NVD
NVD
added 2026/02/26 1:16 a.m.15 views

CVE-2026-27840

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

4.3CVSS0.00142EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/26 12:27 a.m.5 views

CVE-2026-27840

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

4.3CVSS5.5AI score0.00142EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/02/26 12:27 a.m.24 views

CVE-2026-27840

Technical details for CVE-2026-27840 are not provided in the supplied documents. Monitor for updates and vendor advisories for Zitadel versions and remediation.

4.3CVSS5.5AI score0.00142EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/26 12:27 a.m.9 views

CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

4.3CVSS5.6AI score0.00142EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/26 12:27 a.m.34 views

CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

4.3CVSS0.00142EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.10 views

PT-2026-22066

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.31.0 through 3.4.6 ZITADEL versions 2.31.0 through 4.10.9 Description ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in th...

9.9CVSS5.9AI score0.22162EPSS
Exploits70References139
OSV
OSV
added 2022/05/13 1:10 a.m.28 views

GHSA-J4P3-2M2H-CV5F Cloud Foundry UAA Denial of Service through client token revocation endpoint

An issue was discovered in Cloud Foundry Foundation cf-release all versions prior to v279 and UAA 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1. In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other...

5.3CVSS6.1AI score0.01086EPSS
Exploits0References10
Rows per page
Query Builder