PatchSiren

zitadel CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH zitadel CVE published 2026-07-10

CVE-2026-56668

A high-severity vulnerability was found in ZITADEL's OAuth2 Token Exchange endpoint. Prior to version 4.15.3, the endpoint did not verify that the subject token belonged to the requesting client or that requested scopes remained within the original token's scopes. This allowed a low-privilege token to be exchanged for elevated permissions at another application. The vulnerability has been addressed in ver [truncated]

MEDIUM zitadel CVE published 2026-07-10

CVE-2026-56666

A medium-severity vulnerability was found in ZITADEL, an open-source identity management platform. The external identity provider handler does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3. The vulnerabil [truncated]

MEDIUM zitadel CVE published 2026-07-10

CVE-2026-56664

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T18:16:23.890Z and has not been modified since then. ZITADEL, an open-source identity management platform, has a vulnerability in its external JWT Identity Provider validation. The vulnerability allows arbitrarily old tokens from a trusted issuer to pass authentication when an incoming token omits [truncated]

HIGH zitadel CVE published 2026-07-10

CVE-2026-55672

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T18:16:23.637Z and has not been modified since then. ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows failed to verify the requesting client, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 a [truncated]

LOW zitadel CVE published 2026-07-10

CVE-2026-55671

A vulnerability was found in ZITADEL, an open-source identity management platform, affecting versions from 4.0.0-rc.1 through 4.15.1. The issue lies in the inconsistent validation of user-defined URLs against protected denylist handling in HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches. This allows server-side requests to loopback, internal IP, link-local, or redirected [truncated]

LOW zitadel CVE published 2026-07-10

CVE-2026-55670

A LOW-severity vulnerability was found in ZITADEL, an open-source identity management platform. The event store validation issue could retain the original resource owner for a deleted user identifier, potentially exposing users to unintended organization administrators. This issue is fixed in version 4.15.2. Administrators of ZITADEL installations, especially those with multiple organizations and user man [truncated]

MEDIUM zitadel CVE published 2026-07-10

CVE-2026-55669

A vulnerability was found in ZITADEL, an open-source identity management platform. The external JWT Identity Provider does not validate the audience (aud) claim of a token, allowing a validly signed token from a trusted issuer for another relying party to be accepted. This issue was fixed in versions 3.4.12 and 4.15.2. The vulnerability exists due to insufficient validation of the audience claim in JWT to [truncated]