10 matches found
GHSA-6MQ3-XMGP-PJM5 ZITADEL's truncated opaque tokens are still valid
Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different...
ZITADEL's truncated opaque tokens are still valid
Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different...
CVE-2026-27840
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...
CVE-2026-27840
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...
CVE-2026-27840
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...
CVE-2026-27840
Technical details for CVE-2026-27840 are not provided in the supplied documents. Monitor for updates and vendor advisories for Zitadel versions and remediation.
CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...
CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...
PT-2026-22066
Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.31.0 through 3.4.6 ZITADEL versions 2.31.0 through 4.10.9 Description ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in th...
GHSA-J4P3-2M2H-CV5F Cloud Foundry UAA Denial of Service through client token revocation endpoint
An issue was discovered in Cloud Foundry Foundation cf-release all versions prior to v279 and UAA 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1. In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other...