CVE-2026-58165

HIGH

OpenZiti - Privilege Escalation to Admin via Unauthorized Enrollment Creation

Title source: cna
STIX 2.1

Description

OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0024
EPSS Percentile 15.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (2)
openziti/ziti < 2.0.0
openziti/ziti 3027fdffd3e57884487b7c46e5e669cfbc8becdf
Published Jun 30, 2026
Tracked Since Jun 30, 2026