Technologyglobal✓ verified · 90%

ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider

Name: ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
Start: 2026-06-18T13:52:21Z
Location: Global (internet)

When: 2026-06-18 13:52 UTC
Where: Global (internet)
Category: cyber_advisory · go

### Summary Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider (IdP) implementation. Specifically, within the validation pipeline: * **Missing Expiration (`exp`) Enforcement:** If an incoming JWT omits the `exp` claim entirely, the expiration block is silently skipped rather than rejected. The token is treated as valid forever. * **Missing Issued-At (`iat`) Enforcement:** ZITADEL enforces a 1-hour freshness window (`maxAge`) via the token's issue time. However, this safety check is guarded by a presence condition. If a token omits the `iat` claim, the freshness check is entirely bypassed, allowing arbitrarily old tokens to pass. Per the OIDC Core 1.0 specification, identity token validation pipelines must strictly handle and enforce session expiration. ZITADEL's silent acceptance of tokens missing these temporal constraints compromises session integrity. ### Impact An attacker in possession of a token that lacks both `exp` and `iat` claims holds a permanent credential that will never expire and will always be deemed "fresh" by the system. Even without combining both flaws, the absence of an expiration constraint means a leaked token effectively turns into a skeleton key for that user session with no automatic revocation window. ### Affected Versions Systems running one of the following versions are affected: * **4.x**: `4.0.0` through `4.15.1` (including RC versions) * **3.x**: `3.0.0` through `3.4.11` (including RC versions) ### Patches The vulnerability has been addressed in the latest releases. ZITADEL now explicitly rejects tokens that lack an `exp` or `iat` claim. * **4.x**: Upgrade to $\ge$ [4.15.2](https://github.com/zitadel/zitadel/releases/tag/v4.15.2) * **3.x**: Upgrade to $\ge$ [3.4.12](https://github.com/zitadel/zitadel/releases/tag/v3.4.12) ### Workarounds The recommended solution is to update ZITADEL to a patched version. If an immediate upgrade is not feasible, ensure at the Identity Provider level that the external IdP is rigidly configured to enforce short token lifetimes and **explicitly includes** both `exp` and `iat` claims in every single token payload it signs and issues. ### Questions If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com) ### Credits Thanks to [Android-Login-Analysis](https://github.com/Android-Login-Analysis), Jason Zhou and [Pedro Giglioti](https://github.com/Punisher100) for reporting this vulnerability.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 13:52 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map