CVE-2026-33132

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8	Patch
https://github.com/zitadel/zitadel/releases/tag/v3.4.9	Release Notes
https://github.com/zitadel/zitadel/releases/tag/v4.12.3	Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::

History

No history.

Information

Published : 2026-03-20 11:18

Updated : 2026-03-23 18:06

NVD link : CVE-2026-33132

Mitre link : CVE-2026-33132

CVE.ORG link : CVE-2026-33132

JSON object : View

Products Affected

zitadel

zitadel

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-33132", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T11:18:02.857", "references": [{"url": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Las versiones anteriores a la 3.4.9 y de la 4.0.0 a la 4.12.2 permit\u00edan a los usuarios eludir la aplicaci\u00f3n de la organizaci\u00f3n durante la autenticaci\u00f3n. Zitadel permite a las aplicaciones aplicar un contexto de organizaci\u00f3n durante la autenticaci\u00f3n utilizando \u00e1mbitos (urn:zitadel:iam:org:id:{id} y urn:zitadel:iam:org:domain:primary:{domainname}). Si se aplica, un usuario necesita ser parte de la organizaci\u00f3n requerida para iniciar sesi\u00f3n. Aunque esto se aplicaba correctamente para las solicitudes de autorizaci\u00f3n de OAuth2/OIDC en el inicio de sesi\u00f3n V1, faltaban controles correspondientes para las solicitudes de autorizaci\u00f3n de dispositivos y todos los puntos finales de inicio de sesi\u00f3n V2 y OIDC API V2. Esto permit\u00eda a los usuarios eludir la restricci\u00f3n e iniciar sesi\u00f3n con usuarios de otras organizaciones. Tenga en cuenta que esta aplicaci\u00f3n permite una verificaci\u00f3n adicional durante la autenticaci\u00f3n y las aplicaciones que dependen de autorizaciones / asignaciones de roles no se ven afectadas por esta elusi\u00f3n. Este problema ha sido parcheado en las versiones 3.4.9 y 4.12.3."}], "lastModified": "2026-03-23T18:06:26.590", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB64A72E-A1E9-444E-B028-AFDFD32EDEFC", "versionEndExcluding": "3.4.9"}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3282FDC0-7B0C-494E-8F6D-A497EC96E5EE", "versionEndExcluding": "4.12.3", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}