Accessing apps protected via ZT's Access when user account is deleted/disabled even after clearing user session/seat

When a user account is deleted/disabled at IdP level (for example, when an employee leaves the company), if that user a) preserved some metadata of his Access JWT and b) had access to another active user account (that may or may not have access to any apps) inside the same organisation, due to lack of server-side validation of certain checks, this user would have been able to access SaaS apps despite not being privileged enough to do so. Cloudflare's Engineering team resolved the issue by implementing the necessary server-side validation checks. It is important to note that given the exploitability requirements, the likelihood of this attack was considered low.