Description
OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenZiti versions up to 2.0.0 allow an authenticated identity that has fine‑grained enrollment‑management permissions to create an enrollment for any target identity, including the default administrator. The controller verifies only that the target identity exists, omitting an authorization check that would bind the caller to the target. By redeeming the one‑time token created for the unauthorized enrollment through the unauthenticated client‑API enrollment endpoint, an attacker obtains a client certificate that authenticates as the targeted admin identity, granting full administrative control of the controller and the zero‑trust overlay it manages.

Affected Systems

Vendors and products impacted include OpenZiti (ziti) through version 2.0.0. The vulnerability is fixed in commit 3027fdf and in any release derived from that commit.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity vulnerability, and the EPSS score is not available, so current exploitation likelihood cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that the attacker first obtain authenticated access to the Ziti controller with enrollment‑management permissions; from there the attacker can create an unauthorized enrollment and elevate privileges to a full administrator. The impact is loss of confidentiality, integrity, and availability of all managed services.

Generated by OpenCVE AI on June 30, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fixed commit 3027fdf or upgrade to a release beyond 2.0.0 that includes the patch
  • Restrict the permissions that grant enrollment‑creation rights to administrators or other explicitly trusted roles, ensuring non‑admin identities cannot create enrollments for any target
  • Enable audit logging for enrollment operations and regularly review logs for anomalous or unauthorized enrollment creation attempts

Generated by OpenCVE AI on June 30, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.
Title OpenZiti - Privilege Escalation to Admin via Unauthorized Enrollment Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T17:13:18.445Z

Reserved: 2026-06-29T16:03:38.521Z

Link: CVE-2026-58165

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:30:15Z

Weaknesses