GHSA-6MQ3-XMGP-PJM5 ZITADEL's truncated opaque tokens are still valid

Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different...

PT-2026-22066

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.31.0 through 3.4.6 ZITADEL versions 2.31.0 through 4.10.9 Description ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in th...

CVE-2024-28069

creationtimestamp| type| source ---|---|--- 2024-03-16 07:21:52+00:00| seen| https://t.me/ctinow/209378 2024-03-16 07:26:52+00:00| seen| https://t.me/ctinow/209385...

CVE-2024-0536

creationtimestamp| type| source ---|---|--- 2024-01-15 05:26:40+00:00| seen| https://t.me/ctinow/168143 2024-02-03 09:46:30+00:00| seen| https://t.me/ctinow/178450...

PYSEC-2014-108

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...