CVE-2025-67717

MEDIUM

Zitadel < 2.71.19 - Information Disclosure

Title source: rule

Description

ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.

References (2)

[Patch, Vendor Advisory] https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx

[Patch] https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 12.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-497

Status published

Products (2)

zitadel/zitadel 2.44.0 - 2.71.19

zitadel/zitadel 4.0.0-rc.1 - 4.7.2Go

Published Dec 11, 2025

Tracked Since Feb 18, 2026