{"id":"CVE-2023-22492","summary":"RefreshToken invalidation vulnerability","details":"ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. ","aliases":["GHSA-6rrr-78xp-5jp8"],"modified":"2026-04-10T04:55:24.350426Z","published":"2023-01-11T19:42:50.505Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22492.json","cwe_ids":["CWE-613"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22492.json"},{"type":"ADVISORY","url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22492"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"5c8cfa416721410e5786865c9ef40c3769205963"},{"fixed":"301e22c4956ead6014a8179463c37263f7301a83"}],"database_specific":{"versions":[{"introduced":"2.17.0"},{"fixed":"2.17.3"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"5b284f8c9ba65a88fb4d58ac6aa34be429b19e8e"},{"fixed":"fc892c52a10cd4ffdac395747494f3a93a7494c2"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.16.4"}]}}],"versions":["v2.0.0","v2.0.1","v2.1.0","v2.1.1","v2.10.0","v2.11.0","v2.11.1","v2.12.0","v2.13.0","v2.13.1","v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.15.0","v2.16.0","v2.16.1","v2.16.2","v2.16.3","v2.17.0","v2.17.1","v2.17.2","v2.2.0","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0","v2.5.0","v2.5.1","v2.6.0","v2.7.0","v2.8.0","v2.8.1","v2.8.2","v2.9.0","v2.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22492.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"}]}