DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27840: ZITADEL Opaque Token Validation Logic Flaw

#security #cve #cybersecurity

ZITADEL Opaque Token Validation Logic Flaw

Vulnerability ID: CVE-2026-27840
CVSS Score: 4.3
Published: 2026-02-27

A logical integrity vulnerability exists in ZITADEL's handling of V2 opaque access tokens. Due to insufficient validation of the decrypted token payload, the system accepts truncated tokens that lack the required user identity suffix. This flaw allows modified authentication artifacts to pass verification checks, violating the integrity of the authorization mechanism.

TL;DR

ZITADEL fails to verify the full integrity of decrypted V2 opaque access tokens. By truncating a valid token to approximately 80 characters, an attacker can bypass integrity checks, as the system validates the session identifier but ignores the missing user ID suffix. Fixed in versions 3.4.7 and 4.11.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-302
  • CVSS v3.1: 4.3 (Medium)
  • Attack Vector: Network
  • Impact: Integrity Loss
  • Exploit Status: PoC Available
  • EPSS Score: 0.015%

Affected Systems

  • ZITADEL Identity Management Platform
  • ZITADEL: >= 3.0.0, < 3.4.7 (Fixed in: 3.4.7)
  • ZITADEL: >= 4.0.0, < 4.11.0 (Fixed in: 4.11.0)

Code Analysis

Commit: feab8e1

fix(authz): verify token subject matches active token user

func (repo *TokenVerifierRepo) verifyAccessTokenV2(...) {
+ if activeToken.UserID != subject {
+     return ... zerrors.ThrowUnauthenticated(nil, "APP-3f4fs", "invalid token")
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Enforce strict equality checks between decrypted token payloads and database records.
  • Ensure all authentication artifacts are validated for structural integrity before use.

Remediation Steps:

  1. Identify the current running version of ZITADEL via the management console or API.
  2. If running v3.x < 3.4.7 or v4.x < 4.11.0, schedule an immediate maintenance window.
  3. Pull the latest container image or binary for version 3.4.7+ or 4.11.0+.
  4. Redeploy the ZITADEL service.
  5. Monitor logs for 'APP-3f4fs' errors to detect invalid token usage.

References

Read the full report for CVE-2026-27840 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)