CVE-2026-27840

Feb. 27, 2026, 2:06 p.m.

4.3
Medium

Description

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.

Product(s) Impacted

Vendor Product Versions
Zitalel
  • Zitalel
  • 2.31.0, <3.4.7, 3.4.7, 4.11.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-302
Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a zitalel zitalel 2.31.0 / / / / / / /
a zitalel zitalel <3.4.7 / / / / / / /
a zitalel zitalel 3.4.7 / / / / / / /
a zitalel zitalel 4.11.0 / / / / / / /

References

https://github.com/zitadel/zitadel/releases/tag/v3.4.7
https://github.com/zitadel/zitadel/releases/tag/v4.11.0
https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5

Tags

[email protected]
CWE-302
2026-02-26
CVE-2026-27840

CVSS Score

4.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: Feb. 26, 2026, 1:16 a.m.
Last Modified: Feb. 27, 2026, 2:06 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.