CVE-2026-27840 (GCVE-0-2026-27840)

Vulnerability from cvelistv5 – Published: 2026-02-26 00:27 – Updated: 2026-02-26 17:00
VLAI?
Title
ZITADEL's truncated opaque tokens are still valid
Summary
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE
  • CWE-302 - Authentication Bypass by Assumed-Immutable Data
Assigner
References
Impacted products
Vendor Product Version
zitadel zitadel Affected: >= 4.0.0, < 4.11.0
Affected: >= 3.0.0, < 3.4.7
Affected: >= 2.31.0, <= 2.71.19
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27840",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T16:54:28.332275Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:00:29.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zitadel",
          "vendor": "zitadel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.11.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.31.0, \u003c= 2.71.19"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid.  Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `\u003ctoken_id\u003e:\u003cuser_id\u003e`. v2 tokens distinguished further where the `token_id` is of the format `v2_\u003coidc_session_id\u003e-at_\u003caccess_token_id\u003e`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-302",
              "description": "CWE-302: Authentication Bypass by Assumed-Immutable Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T00:27:08.933Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5"
        },
        {
          "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.7"
        },
        {
          "name": "https://github.com/zitadel/zitadel/releases/tag/v4.11.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zitadel/zitadel/releases/tag/v4.11.0"
        }
      ],
      "source": {
        "advisory": "GHSA-6mq3-xmgp-pjm5",
        "discovery": "UNKNOWN"
      },
      "title": "ZITADEL\u0027s truncated opaque tokens are still valid"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27840",
    "datePublished": "2026-02-26T00:27:08.933Z",
    "dateReserved": "2026-02-24T02:32:39.801Z",
    "dateUpdated": "2026-02-26T17:00:29.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27840\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T01:16:25.103\",\"lastModified\":\"2026-03-05T16:04:57.103\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid.  Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `\u003ctoken_id\u003e:\u003cuser_id\u003e`. v2 tokens distinguished further where the `token_id` is of the format `v2_\u003coidc_session_id\u003e-at_\u003caccess_token_id\u003e`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.\"},{\"lang\":\"es\",\"value\":\"ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. A partir de la versi\u00f3n 2.31.0 y antes de las versiones 3.4.7 y 4.11.0, los tokens de acceso OIDC opacos en formato v2 truncados a 80 caracteres todav\u00eda se consideran v\u00e1lidos. Zitadel utiliza un cifrado AES sim\u00e9trico para tokens opacos. La carga \u00fatil en texto claro es una concatenaci\u00f3n de un par de identificadores, como un ID de token y un ID de usuario. Internamente, Zitadel tiene 2 versiones diferentes de cargas \u00fatiles de token. Los tokens v1 ya no se crean, pero a\u00fan se verifican para no invalidar las sesiones existentes despu\u00e9s de la actualizaci\u00f3n. La carga \u00fatil en texto claro tiene un formato de \u0027:\u0027. Los tokens v2 se distinguen a\u00fan m\u00e1s donde el \u0027token_id\u0027 tiene el formato \u0027v2_-at_\u0027. Los datos de sesi\u00f3n de authZ/N del token v1 se recuperan de la base de datos utilizando el valor (simple) de \u0027token_id\u0027 y el valor de \u0027user_id\u0027. El \u0027user_id\u0027 (llamado \u0027subject\u0027 en algunas partes de nuestro c\u00f3digo) se utilizaba como el ID de usuario de confianza. Los datos de sesi\u00f3n de authZ/N del token v2 se recuperan de la base de datos utilizando el \u0027oidc_session_id\u0027 y el \u0027access_token_id\u0027 y, en este caso, el \u0027user_id\u0027 del token se ignora y se toma de los datos de sesi\u00f3n en la base de datos. Al truncar el token a 80 caracteres, el \u0027user_id\u0027 ahora falta en el texto claro del token v2. El back-end todav\u00eda acepta esto por las razones mencionadas. Este problema no se considera explotable, pero puede parecer inc\u00f3modo cuando se reproduce. El parche en las versiones 4.11.0 y 3.4.7 resuelve el problema verificando el \u0027user_id\u0027 del token contra los datos de sesi\u00f3n de la base de datos. No se conocen soluciones alternativas disponibles.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-302\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.31.0\",\"versionEndIncluding\":\"2.71.19\",\"matchCriteriaId\":\"D62A054C-6B24-4F4D-9587-C98EBF9EC49B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.4.7\",\"matchCriteriaId\":\"13AFE625-3EEE-4FC7-8F6A-BA4DDC111D67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.11.0\",\"matchCriteriaId\":\"3DA193AE-B1BE-4BDD-B4B2-3A59926CC0BA\"}]}]}],\"references\":[{\"url\":\"https://github.com/zitadel/zitadel/releases/tag/v3.4.7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/zitadel/zitadel/releases/tag/v4.11.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.