Login Sign Up

CVE-2026-27840

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

ZITADEL identity management platform versions 2.31.0 through 3.4.6 and 4.0.0 through 4.10.0 have a token validation flaw where truncated OIDC access tokens are incorrectly accepted. This could allow anomalous authentication behavior, though the vendor states it's not exploitable. Organizations using affected ZITADEL versions for identity management are impacted.

💻 Affected Systems

Products:
  • ZITADEL
Versions: 2.31.0 through 3.4.6, and 4.0.0 through 4.10.0
Operating Systems: All platforms running ZITADEL
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using affected versions with OIDC opaque tokens are vulnerable regardless of configuration.

📦 What is this software?

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Potential authentication anomalies where truncated tokens might cause unexpected behavior in session handling, though no privilege escalation or data access is possible according to the vendor.

🟠

Likely Case

Awkward authentication behavior when truncated tokens are presented, potentially causing session inconsistencies or logging anomalies.

🟢

If Mitigated

With proper patching, no impact as token validation is properly enforced.

🌐 Internet-Facing: MEDIUM - ZITADEL is often internet-facing for identity services, but the vulnerability has limited exploitability.
🏢 Internal Only: MEDIUM - Same risk profile regardless of deployment location since the vulnerability is in token validation logic.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH - Requires specific token truncation and the vendor states it's not exploitable for privilege escalation.

The vulnerability requires presenting specifically truncated tokens and appears to cause anomalous behavior rather than security breaches.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.7 or 4.11.0

Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5

Restart Required: Yes

Instructions:

1. Backup your ZITADEL instance and database. 2. Upgrade to version 3.4.7 if on v3 branch, or 4.11.0 if on v4 branch. 3. Restart ZITADEL services. 4. Verify token validation is working correctly.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states no known workarounds exist for this token validation issue.

🧯 If You Can't Patch

  • Monitor authentication logs for anomalous token validation attempts
  • Implement additional authentication validation layers in front of ZITADEL

🔍 How to Verify

Check if Vulnerable:

Check ZITADEL version: if between 2.31.0-3.4.6 or 4.0.0-4.10.0, you are vulnerable.

Check Version:

Check ZITADEL admin interface or run: zitadel version (if CLI available)

Verify Fix Applied:

After patching, test OIDC token validation with various token formats to ensure proper rejection of truncated tokens.

📡 Detection & Monitoring

Log Indicators:

  • Authentication logs showing truncated token acceptance
  • Anomalous session creation patterns

Network Indicators:

  • OIDC token requests with unusually short tokens

SIEM Query:

source="zitadel" AND (token_length<100 OR "truncated" OR "validation_error")

📊 Metadata

CVE ID: CVE-2026-27840
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-302
Published: February 26, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27840, you might also want to check these:

CVE-2025-29813 10.0

CVE-2025-29813 is an authentication bypass vulnerability in Azure DevOps that allows attackers to sp...

Same vulnerability type (CWE-302)
CVE-2024-56404 9.9

An insecure direct object reference (IDOR) vulnerability in One Identity Identity Manager 9.x before...

Same vulnerability type (CWE-302)
CVE-2024-43441 9.8

This vulnerability allows attackers to bypass authentication in Apache HugeGraph-Server by manipulat...

Same vulnerability type (CWE-302)