CVE-2026-27840

{"id": "CVE-2026-27840", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-26T01:16:25.103", "references": [{"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.7", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v4.11.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-302"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. A partir de la versi\u00f3n 2.31.0 y antes de las versiones 3.4.7 y 4.11.0, los tokens de acceso OIDC opacos en formato v2 truncados a 80 caracteres todav\u00eda se consideran v\u00e1lidos. Zitadel utiliza un cifrado AES sim\u00e9trico para tokens opacos. La carga \u00fatil en texto claro es una concatenaci\u00f3n de un par de identificadores, como un ID de token y un ID de usuario. Internamente, Zitadel tiene 2 versiones diferentes de cargas \u00fatiles de token. Los tokens v1 ya no se crean, pero a\u00fan se verifican para no invalidar las sesiones existentes despu\u00e9s de la actualizaci\u00f3n. La carga \u00fatil en texto claro tiene un formato de ':'. Los tokens v2 se distinguen a\u00fan m\u00e1s donde el 'token_id' tiene el formato 'v2_-at_'. Los datos de sesi\u00f3n de authZ/N del token v1 se recuperan de la base de datos utilizando el valor (simple) de 'token_id' y el valor de 'user_id'. El 'user_id' (llamado 'subject' en algunas partes de nuestro c\u00f3digo) se utilizaba como el ID de usuario de confianza. Los datos de sesi\u00f3n de authZ/N del token v2 se recuperan de la base de datos utilizando el 'oidc_session_id' y el 'access_token_id' y, en este caso, el 'user_id' del token se ignora y se toma de los datos de sesi\u00f3n en la base de datos. Al truncar el token a 80 caracteres, el 'user_id' ahora falta en el texto claro del token v2. El back-end todav\u00eda acepta esto por las razones mencionadas. Este problema no se considera explotable, pero puede parecer inc\u00f3modo cuando se reproduce. El parche en las versiones 4.11.0 y 3.4.7 resuelve el problema verificando el 'user_id' del token contra los datos de sesi\u00f3n de la base de datos. No se conocen soluciones alternativas disponibles."}], "lastModified": "2026-03-05T16:04:57.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D62A054C-6B24-4F4D-9587-C98EBF9EC49B", "versionEndIncluding": "2.71.19", "versionStartIncluding": "2.31.0"}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13AFE625-3EEE-4FC7-8F6A-BA4DDC111D67", "versionEndExcluding": "3.4.7", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DA193AE-B1BE-4BDD-B4B2-3A59926CC0BA", "versionEndExcluding": "4.11.0", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}