CVE-2026-27840

MEDIUM
中文标题:
(暂无数据)
英文标题:
ZITADEL's truncated opaque tokens are still valid
CVSS分数: 4.3
发布时间: 2026-02-26 00:27:08
漏洞类型: (暂无数据)
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v2
漏洞描述
中文描述:

(暂无数据)

英文描述:

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. V1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID. V2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database. By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token. The back-end still accepts this for above reasons. This issue is not considered exploitable, but may look awkward when reproduced. The patch in versions 4.11.0 and 3.4.7 resolves the issue by verifying the `user_id` from the token against the session data from the database. No known workarounds are available.

CWE类型:
CWE-302
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
zitadel zitadel >= 4.0.0, < 4.11.0 - - cpe:2.3:a:zitadel:zitadel:>=_4.0.0,_<_4.11.0:*:*:*:*:*:*:*
zitadel zitadel >= 3.0.0, < 3.4.7 - - cpe:2.3:a:zitadel:zitadel:>=_3.0.0,_<_3.4.7:*:*:*:*:*:*:*
zitadel zitadel >= 2.31.0, <= 2.71.19 - - cpe:2.3:a:zitadel:zitadel:>=_2.31.0,_<=_2.71.19:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5 x_refsource_CONFIRM
cve.org
访问
https://github.com/zitadel/zitadel/releases/tag/v3.4.7 x_refsource_MISC
cve.org
访问
https://github.com/zitadel/zitadel/releases/tag/v4.11.0 x_refsource_MISC
cve.org
访问
CVSS评分详情
3.1 (cna)
MEDIUM
4.3
CVSS向量: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
机密性
NONE
完整性
LOW
可用性
NONE
时间信息
发布时间:
2026-02-26 00:27:08
修改时间:
2026-02-26 00:27:08
创建时间:
2026-02-26 06:00:01
更新时间:
2026-02-28 06:00:02
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2026-27840 2026-02-26 03:19:54 2026-02-25 22:00:01
NVD nvd_CVE-2026-27840 2026-02-27 02:00:05 2026-02-26 22:00:03
版本与语言
当前版本: v2
主要语言: EN
支持语言:
EN
安全公告
暂无安全公告信息
变更历史
v2 NVD
2026-02-27 06:00:03
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']