Description
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
Published: 2026-03-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

This vulnerability in Zitadel's Management API allows an authenticated user with a low‑privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management‑plane data belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. Because the API does not enforce tenancy boundaries, the attacker can read configuration and sensitive information from another tenant, leading to confidentiality loss. The weakness corresponds to CWE‑639 (Authorization Bypass Through Privilege Escalation) and CWE‑862 (Missing Authorization).

Affected Systems

Affected vendors and products: Zitadel; platform: Zitadel identity management. Version information is inferred from the advisory text: all releases prior to 3.4.8 in the 3.x branch and all releases prior to 4.12.2 in the 4.x branch are vulnerable.

Risk and Exploitability

Risk and exploitability: The CVSS score is 7.7, indicating a high severity. EPSS is under 1%, showing a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only an authenticated low‑privilege token, making it trivially achievable by any legitimate user or by an attacker who has hijacked such a token. Immediate patching is strongly recommended to eliminate the data leakage risk.

Generated by OpenCVE AI on March 17, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Zitadel release (v3.4.8 or newer, or v4.12.2 or newer) to address the vulnerability.

Generated by OpenCVE AI on March 17, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Wed, 11 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
Title ZITADEL Cross-Tenant Information Disclosure in Management API
Weaknesses CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T16:18:01.726Z

Reserved: 2026-03-10T22:19:36.545Z

Link: CVE-2026-32131

cve-icon Vulnrichment

Updated: 2026-03-12T15:44:07.731Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:32.957

Modified: 2026-03-16T16:52:22.903

Link: CVE-2026-32131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:52Z

Weaknesses