ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
Description
Summary
An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.
When validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer (iss), but it fails to validate the audience (aud) claim.
As a result, any validly signed token from the trusted issuer will be accepted. An attacker who is a legitimate user of a completely separate service sharing the same enterprise Identity Provider can intercept or present their token for that service to ZITADEL, successfully authenticating as that user without authorization.
Impact
In a controlled enterprise environment where Identity Providers are explicitly managed, the operational risk is localized. Exploitation requires that an attacker already possesses a valid standard user session token from a shared, trusted issuer intended for an entirely different relying party, limiting the vector to specific, rare cross-service setups where trust boundaries overlap.
Affected
Versions
Systems running one of the following versions are affected:
- 4.x:
4.0.0through4.11.0(including RC versions) - 3.x:
3.0.0through3.4.11(including RC versions)
Patches
The vulnerability has been addressed in the latest releases, where a required audience can be set in the IdP configuration. Once provided, audience validation will be enforced.
Workarounds
The recommended solution is to update ZITADEL to a patched version.
If an immediate upgrade is not possible, you can mitigate the risk at the infrastructure layer:
- At the IdP: Ensure the external Identity Provider issues scoped tokens with highly unique, non-overlapping audience values that cannot be misconstrued by separate service deployments.
- At the Perimeter: Deploy a reverse proxy, API gateway, or Web Application Firewall (WAF) layer in front of ZITADEL to inspect incoming identity tokens and explicitly drop requests where the
audfield does not strictly match ZITADEL's deployment target.
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to Android-Login-Analysis, Jason Zhou and Pedro Giglioti for reporting this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing validation of the `aud` (audience) claim in JWT tokens from an external Identity Provider allows any validly signed token from the trusted issuer to be accepted."
Attack vector
An attacker who possesses a validly signed JWT from a trusted issuer (the same enterprise Identity Provider) but intended for a different relying party can present that token to ZITADEL. Because ZITADEL did not validate the `aud` (audience) claim, it would accept any token signed by the trusted issuer, allowing the attacker to authenticate as the user identified in the token's `sub` claim without authorization for ZITADEL's services. This is a classic missing audience validation flaw [CWE-287].
Affected code
The vulnerability resides in the JWT Identity Provider (IdP) validation logic within `internal/idp/providers/jwt/session_test.go` and the related command/query layers. The patch adds an `audience` field to the JWT IdP configuration (`internal/repository/idp/jwt.go`, `internal/query/idp_template.go`) and a database migration (`cmd/setup/71.go`) to store it. The core fix ensures that when an audience is configured, the token's `aud` claim is validated, which was previously missing entirely.
What the fix does
The patch introduces an optional `audience` configuration field for the JWT IdP. When set, the token's `aud` claim is validated against this expected value; when left empty, no audience check is performed (preserving backward compatibility). The change spans the protobuf definitions (`proto/zitadel/admin.proto`, `proto/zitadel/management.proto`), the event store (`internal/repository/idp/jwt.go`), the query layer (`internal/query/idp_template.go`), and a database migration (`cmd/setup/71.sql`) to persist the new field. The test file (`internal/idp/providers/jwt/session_test.go`) adds a dedicated test case `"invalid token (audience)"` that verifies a token with a mismatched audience is rejected with `ErrInvalidToken`.
Preconditions
- configZITADEL must be configured with an external JWT Identity Provider (IdP) that shares a trusted issuer with other relying parties.
- inputThe attacker must possess a validly signed JWT from that trusted issuer, intended for a different service (i.e., with a different audience).
- networkThe attacker must be able to present that JWT to ZITADEL's authentication endpoint.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g5h5-m4hm-xjrrghsaADVISORY
- github.com/zitadel/zitadel/commit/d184e976fc799a383bb6ef9f32c3bae11a3ef85fghsa
- github.com/zitadel/zitadel/releases/tag/v3.4.12ghsa
- github.com/zitadel/zitadel/releases/tag/v4.15.2ghsa
- github.com/zitadel/zitadel/security/advisories/GHSA-g5h5-m4hm-xjrrghsa
News mentions
0No linked articles in our index yet.