Skip to content

ZITADEL's truncated opaque tokens are still valid

Moderate severity GitHub Reviewed Published Feb 25, 2026 in zitadel/zitadel • Updated Feb 27, 2026

Package

gomod github.com/zitadel/zitadel (Go)

Affected versions

>= 4.0.0, < 4.11.0
>= 3.0.0, < 3.4.7
>= 2.31.0, <= 2.71.19
< 1.80.0-v2.20.0.20260216092519-feab8e1fa371

Patched versions

4.11.0
3.4.7
1.80.0-v2.20.0.20260216092519-feab8e1fa371

Description

Summary

Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.

ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade.

The cleartext payload has a format of <token_id>:<user_id>. v2 tokens distinguished further where the token_id is of the format v2_<oidc_session_id>-at_<access_token_id>. This is an example of such a cleartext: V2_354201447279099906-at_354201447279165442:354201364702363650

Impact

V1 token authZ/N session data is retrieved from the database using the (simple) token_id value and user_id value. The user_id (called subject in some parts of our code) was used as being the trusted user ID.

V2 token authZ/N session data is retrieved from the database using the oidc_session_id and access_token_id and in this case the user_id from the token is ignored and taken from the session data in the database.

By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token: V2_354201447279099906-at_354201447279165442: The back-end still accepts this for above reasons.

This issue is not considered exploitable, but may look awkward when reproduced.

Affected Versions

All versions within the following ranges, including release candidates (RCs), are affected:

  • v4.x: 4.0.0 through 4.10.1
  • 3.x: 3.0.0 through 3.4.6
  • 2.x: 2.31.0 through 2.71.19

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by verifying the user_id from the token against the session data from the database

4.x: Upgrade to >=4.11.0
3.x: Update to >=3.4.7
2.x: Update to >=3.4.7

Workarounds

The recommended solution is to update ZITADEL to a patched version.

Questions

If there any questions or comments about this advisory, please send an email to security@zitadel.com

Credits

ZITADEL thanks Olivier Becker and Lucas Dodgson for reporting this vulnerability.

References

@livio-a livio-a published to zitadel/zitadel Feb 25, 2026
Published by the National Vulnerability Database Feb 26, 2026
Published to the GitHub Advisory Database Feb 27, 2026
Reviewed Feb 27, 2026
Last updated Feb 27, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(3rd percentile)

Weaknesses

Authentication Bypass by Assumed-Immutable Data

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. Learn more on MITRE.

CVE ID

CVE-2026-27840

GHSA ID

GHSA-6mq3-xmgp-pjm5

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.