GHSA-6mq3-xmgp-pjm5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6mq3-xmgp-pjm5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-6mq3-xmgp-pjm5/GHSA-6mq3-xmgp-pjm5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6mq3-xmgp-pjm5
- Aliases
- Published
- 2026-02-27T21:22:00Z
- Modified
- 2026-02-28T05:14:45.396963Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- ZITADEL's truncated opaque tokens are still valid
- Details
-
Summary
Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.
ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade.
The cleartext payload has a format of
<token_id>:<user_id>. v2 tokens distinguished further where thetoken_idis of the formatv2_<oidc_session_id>-at_<access_token_id>. This is an example of such a cleartext:V2_354201447279099906-at_354201447279165442:354201364702363650Impact
V1 token authZ/N session data is retrieved from the database using the (simple)
token_idvalue anduser_idvalue. Theuser_id(calledsubjectin some parts of our code) was used as being the trusted user ID.V2 token authZ/N session data is retrieved from the database using the
oidc_session_idandaccess_token_idand in this case theuser_idfrom the token is ignored and taken from the session data in the database.By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token:
V2_354201447279099906-at_354201447279165442:The back-end still accepts this for above reasons.This issue is not considered exploitable, but may look awkward when reproduced.
Affected Versions
All versions within the following ranges, including release candidates (RCs), are affected: - v4.x:
4.0.0through4.10.1- 3.x:3.0.0through3.4.6- 2.x:2.31.0through2.71.19Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by verifying the
user_idfrom the token against the session data from the database4.x: Upgrade to >=4.11.0 3.x: Update to >=3.4.7 2.x: Update to >=3.4.7
Workarounds
The recommended solution is to update ZITADEL to a patched version.
Questions
If there any questions or comments about this advisory, please send an email to security@zitadel.com
Credits
ZITADEL thanks Olivier Becker and Lucas Dodgson for reporting this vulnerability.
- Database specific
{ "cwe_ids": [ "CWE-302" ], "severity": "MODERATE", "nvd_published_at": "2026-02-26T01:16:25Z", "github_reviewed_at": "2026-02-27T21:22:00Z", "github_reviewed": true }- References
-
- https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5
- https://nvd.nist.gov/vuln/detail/CVE-2026-27840
- https://github.com/zitadel/zitadel/commit/feab8e1fa371f3ad654640fc869b2c14f2fdb602
- https://github.com/zitadel/zitadel
- https://github.com/zitadel/zitadel/releases/tag/v2.71.19
- https://github.com/zitadel/zitadel/releases/tag/v3.4.7
- https://github.com/zitadel/zitadel/releases/tag/v4.11.0
Affected packages
Go
github.com/zitadel/zitadel
Package
- Name
- github.com/zitadel/zitadel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/zitadel/zitadel
github.com/zitadel/zitadel
Package
- Name
- github.com/zitadel/zitadel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/zitadel/zitadel
github.com/zitadel/zitadel
Package
- Name
- github.com/zitadel/zitadel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/zitadel/zitadel
github.com/zitadel/zitadel
Package
- Name
- github.com/zitadel/zitadel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/zitadel/zitadel