CVE-2026-27840: ZITADEL's truncated opaque tokens are still valid
Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.
ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade.
The cleartext payload has a format of <token_id>:<user_id>. v2 tokens distinguished further where the token_id is of the format v2_<oidc_session_id>-at_<access_token_id>. This is an example of such a cleartext: V2_354201447279099906-at_354201447279165442:354201364702363650
References
- github.com/advisories/GHSA-6mq3-xmgp-pjm5
- github.com/zitadel/zitadel
- github.com/zitadel/zitadel/commit/feab8e1fa371f3ad654640fc869b2c14f2fdb602
- github.com/zitadel/zitadel/releases/tag/v2.71.19
- github.com/zitadel/zitadel/releases/tag/v3.4.7
- github.com/zitadel/zitadel/releases/tag/v4.11.0
- github.com/zitadel/zitadel/security/advisories/GHSA-6mq3-xmgp-pjm5
- nvd.nist.gov/vuln/detail/CVE-2026-27840
Code Behaviors & Features
Detect and mitigate CVE-2026-27840 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →