Back to overview

CVE-2026-55672

HIGH
7.4
CVSS 3.1
Description
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2.

Metadata

CVE ID
CVE-2026-55672
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 00:05 UTC
Published
2026-07-10 17:19 UTC
Last updated
2026-07-10 18:38 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
zitadel / zitadel
Sources
cve.org  ·  NVD

Severity & Metrics

7.4 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
zitadel zitadel >= 4.0.0-rc.1, < 4.15.2, < 3.4.12
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287: Improper Authentication
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.4 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References (5)
Back to overview