Description
Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/zitadel/zitadel/security/advisories/GHSA-cpf4-pmr4-w6cx
Patch x_refsource_misc
https://github.com/zitadel/zitadel/commit/8dcfff97ed52a8b9fc77ecb1f972744f42cff3ed
Release Notes x_refsource_misc
https://github.com/zitadel/zitadel/releases/tag/v4.6.3
Scores
CVSS v4
8.7
EPSS
0.0005
EPSS Percentile
16.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-639
Status
published
Products (3)
zitadel/zitadel
4.0.0-rc.1 - 4.6.3Go
zitadel/zitadel
>= 1.80.0-v2.20.0.20250414095945-f365cee73242, < 1.80.0-v2.20.0.20251105083648-8dcfff97ed52
zitadel/zitadel
>= 4.0.0-rc.1, < 4.6.3
Published
Nov 07, 2025
Tracked Since
Feb 18, 2026