Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-6mq3-xmgp-pjm5

MEDIUM

ZITADEL's truncated opaque tokens are still valid

Also known asCVE-2026-27840GO-2026-4573
Published
Feb 27, 2026
Updated
Mar 23, 2026
Affected
4 pkgs
Patched
3 / 4
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.1%probability of exploitation in next 30 days
Lower Risk4th percentile+0.12%
0.00%0.21%0.43%0.64%0.0%0.0%0.0%0.0%0.1%Mar 26May 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

4 pkgs affected
🐹github.com/zitadel/zitadel🐹github.com/zitadel/zitadel🐹github.com/zitadel/zitadel🐹github.com/zitadel/zitadel

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.

ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade.

The cleartext payload has a format of <token_id>:<user_id>. v2 tokens distinguished further where the token_id is of the format v2_<oidc_session_id>-at_<access_token_id>. This is an example of such a cleartext: V2_354201447279099906-at_354201447279165442:354201364702363650

Impact

V1 token authZ/N session data is retrieved from the database using the (simple) token_id value and user_id value. The user_id (called subject in some parts of our code) was used as being the trusted user ID.

V2 token authZ/N session data is retrieved from the database using the oidc_session_id and access_token_id and in this case the user_id from the token is ignored and taken from the session data in the database.

By truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token: V2_354201447279099906-at_354201447279165442: The back-end still accepts this for above reasons.

This issue is not considered exploitable, but may look awkward when reproduced.

Affected Versions

All versions within the following ranges, including release candidates (RCs), are affected:

  • v4.x: 4.0.0 through 4.10.1
  • 3.x: 3.0.0 through 3.4.6
  • 2.x: 2.31.0 through 2.71.19

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by verifying the user_id from the token against the session data from the database

4.x: Upgrade to >=4.11.0 3.x: Update to >=3.4.7 2.x: Update to >=3.4.7

Workarounds

The recommended solution is to update ZITADEL to a patched version.

Questions

If there any questions or comments about this advisory, please send an email to [email protected]

Credits

ZITADEL thanks Olivier Becker and Lucas Dodgson for reporting this vulnerability.

Affected Packages

4 total 3 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/zitadel/zitadel4.0.0&&< 4.11.04.11.0
🐹Gogithub.com/zitadel/zitadel3.0.0&&< 3.4.73.4.7
🐹Gogithub.com/zitadel/zitadel2.31.0No fix
🐹Gogithub.com/zitadel/zitadelall versions1.80.0-v2.20.0.20260216092519-feab8e1fa371

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/zitadel/zitadel. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/zitadel/zitadel to 4.11.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-6mq3-xmgp-pjm5 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-6mq3-xmgp-pjm5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-6mq3-xmgp-pjm5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade. The cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_
O3 Security · Impact-Aware SCA

Is GHSA-6mq3-xmgp-pjm5 in your dependencies?

O3 detects GHSA-6mq3-xmgp-pjm5 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works