CVE-2026-55670
LOWZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
Title source: cnaDescription
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/zitadel/zitadel/security/advisories/GHSA-6x8v-2fq5-2229
X_Refsource_Misc x_refsource_misc
https://github.com/zitadel/zitadel/pull/12261
X_Refsource_Misc x_refsource_misc
https://github.com/zitadel/zitadel/commit/a939b847d90c3370bd162064e57764b89c01be46
X_Refsource_Misc x_refsource_misc
https://github.com/zitadel/zitadel/releases/tag/v4.15.2
Scores
CVSS v4
2.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
CWE-639
Status
published
Products (1)
zitadel/zitadel
< 4.15.2
Published
Jul 10, 2026
Tracked Since
Jul 10, 2026