CVE-2025-53895
HIGHZITADEL <4.0.0-rc.2, 3.3.2, 2.71.13, 2.70.14 - Privilege Escalation
Title source: llmDescription
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.
References (5)
Scores
CVSS v3
8.8
EPSS
0.0011
EPSS Percentile
29.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-384
CWE-863
Status
published
Products (2)
zitadel/zitadel
4.0.0 rc1
zitadel/zitadel
2.53.0 - 2.70.14
Published
Jul 15, 2025
Tracked Since
Feb 18, 2026