CVE-2026-56668 PUBLISHED

ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange

Assigner: GitHub_M
Reserved: 22.06.2026 Published: 10.07.2026 Updated: 10.07.2026

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 8.1

Product Status

Vendor zitadel
Product zitadel
Versions
  • Version < 4.15.3 is affected

References

Problem Types

  • CWE-862: Missing Authorization CWE