{"id":"CVE-2023-22492","summary":"RefreshToken invalidation vulnerability","details":"ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. ","aliases":["GHSA-6rrr-78xp-5jp8"],"modified":"2026-03-03T02:48:56.422819Z","published":"2023-01-11T19:42:50.505Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22492.json","cwe_ids":["CWE-613"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22492.json"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"},{"type":"ADVISORY","url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22492"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"0"},{"fixed":"301e22c4956ead6014a8179463c37263f7301a83"},{"introduced":"0"},{"fixed":"fc892c52a10cd4ffdac395747494f3a93a7494c2"},{"introduced":"5b284f8c9ba65a88fb4d58ac6aa34be429b19e8e"},{"fixed":"fc892c52a10cd4ffdac395747494f3a93a7494c2"},{"introduced":"5c8cfa416721410e5786865c9ef40c3769205963"},{"fixed":"301e22c4956ead6014a8179463c37263f7301a83"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22492.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"}]}