A vulnerability described as problematic has been identified in ZITADEL up to 3.4.11/4.15.1. Affected by this vulnerability is an unknown functionality of the file internal/idp/providers/jwt/session.go of the component External JWT Identity Provider. Such manipulation of the argument iat leads to improper authentication.
This vulnerability is traded as CVE-2026-56664. The attack may be launched remotely. There is no exploit available.