ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted by ZITADEL. This issue is fixed in versions 3.4.12 and 4.15.2.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-346"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55669.json"
}{
"extracted_events": [
{
"introduced": "4.0.0-rc.1"
},
{
"fixed": "4.15.2"
},
{
"introduced": "0"
},
{
"fixed": "3.4.12"
}
],
"source": [
"AFFECTED_FIELD",
"REFERENCES"
]
}