Description
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass Allowing Cross‑Organization Logins
Action: Patch Immediately
AI Analysis

Impact

ZITADEL lacks enforcement of organization scopes for several authentication pathways, enabling users to authenticate as members of other organizations. This flaw allows an attacker to sign in with credentials that belong to a different tenant, potentially granting unauthorized access to resources protected by that tenancy's policies. The weakness corresponds to missing authentication checks (CWE‑306) and improper authorization of resources (CWE‑863). The impact is the ability to perform unauthorized actions within another organization.

Affected Systems

The issue affects ZITADEL open‑source identity management platform, specifically versions prior to 3.4.9 and 4.0.0 up to 4.12.2. Versions 3.4.9 and 4.12.3 contain the fix. Any deployment using the affected releases and relying on organization scope enforcement in authentication is vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity, and the EPSS score is below 1%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is exploitation of the login V2, OIDC API V2, and device authorization flows, which all lack the necessary organization scope checks. An attacker who can craft authentication requests that specify organization scopes may obtain tokens for users in other organizations, leading to compromised tenant isolation.

Generated by OpenCVE AI on March 23, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ZITADEL release (v3.4.9 or v4.12.3) to enforce organization scope checks in all authentication endpoints.

Generated by OpenCVE AI on March 23, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g2pf-ww5m-2r9m Zitadel is missing enforcement of organization scopes
History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
Title ZITADEL is missing enforcement of organization scopes
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:31:30.207Z

Reserved: 2026-03-17T20:35:49.928Z

Link: CVE-2026-33132

cve-icon Vulnrichment

Updated: 2026-03-20T19:31:19.110Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T11:18:02.857

Modified: 2026-03-23T18:06:26.590

Link: CVE-2026-33132

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T10:21:19Z

Links: CVE-2026-33132 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:33Z

Weaknesses