CVE-2026-55672: ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
Zitadel’s OAuth2 / OIDC CodeExchange and RefreshToken implementations omit a critical validation step to ensure that the requesting client matches the client that originally initiated the authorization flow. This violates RFC 6749 Section 4.1.3, which mandates that the authorization server must ensure the authorization code was issued to the authenticated confidential client.
References
- github.com/advisories/GHSA-xqxv-4jc2-x56x
- github.com/zitadel/zitadel/commit/0973b074b48816757c47fe732b06d2488d3d284c
- github.com/zitadel/zitadel/releases/tag/v3.4.12
- github.com/zitadel/zitadel/releases/tag/v4.15.2
- github.com/zitadel/zitadel/security/advisories/GHSA-xqxv-4jc2-x56x
- nvd.nist.gov/vuln/detail/CVE-2026-55672
Code Behaviors & Features
Detect and mitigate CVE-2026-55672 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →