PatchSiren cyber security CVE debrief
CVE-2026-55672 zitadel CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T18:16:23.637Z and has not been modified since then. ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows failed to verify the requesting client, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2. Organizations using ZITADEL for identity management should verify their versions and apply patches to prevent unauthorized token exchanges.
- Vendor
- zitadel
- Product
- Unknown
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Organizations using ZITADEL for identity management should verify their versions and apply patches to prevent unauthorized token exchanges. This includes reviewing client configurations for proper authorization flow verification and monitoring for suspicious token exchange activities. Security teams and vulnerability management teams should also be aware of the potential impact and take steps to mitigate it.
Technical summary
ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows failed to verify the requesting client, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2. The vulnerability allows for unauthorized access to sensitive information and systems. Affected organizations should prioritize patching to prevent exploitation.
Defensive priority
High priority for organizations using ZITADEL, as exploitation could lead to unauthorized access.
Recommended defensive actions
- Verify ZITADEL version and apply patches to 3.4.12 or 4.15.2
- Review client configurations for proper authorization flow verification
- Monitor for suspicious token exchange activities
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record and NVD entry provide details on the vulnerability and fixed versions. Further analysis is needed to determine affected scope and potential impact. Organizations should verify their ZITADEL versions and apply patches to prevent unauthorized token exchanges. Evidence limits suggest that exploitation could lead to unauthorized access, but additional verification is required to confirm affected systems.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T18:16:23.637Z and has not been modified since then.