A vulnerability classified as critical has been found in ZITADEL up to 3.4.11/4.15.1. Affected by this issue is some unknown functionality of the file internal/idp/providers/jwt/session.go of the component External JWT Identity Provider. Performing a manipulation of the argument exp results in deserialization.
This vulnerability is known as CVE-2026-56665. Remote exploitation of the attack is possible. No exploit is available.