CVE-2025-64431
EPSS 0.06%IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering
Description
### Summary ZITADEL's Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with specific **administrator** roles within one organization to access and modify data belonging to **other** organizations. ### Impact ZITADEL's Organization V2Beta API, intended for managing ZITADEL organizations, contains multiple endpoints that fail to properly authorize authenticated users. An attacker with an administrator role for a specific organization could exploit this to bypass access controls and perform unauthorized actions on other organizations within the same ZITADEL instance. This could allow an attacker to: - **Read** organization data, including the name, domains and metadata. - **Manipulate** (modify) the corresponding organization data. - **Delete** the corresponding data, up to and including the entire organization. Note that this vulnerability is limited to organization-level data (name, domains, metadata). **No other related data (such as users, projects, applications, etc.) is affected.** ### Affected Versions Systems running one of the following versions are affected: - **v4.x**: `4.0.0-rc.1` through `4.6.2` ### Patches The vulnerability has been addressed in the latest release. The patch resolves the issue by correctly validating the caller's permission against the target organization. - v4.x: Upgrade to version [4.6.3](https://github.com/zitadel/zitadel/releases/tag/v4.6.3) or later. ### Workarounds Upgrading to a patched version is the recommended solution. If an immediate upgrade is not possible, mitigation can be achieved by disabling the affected Organization V2Beta API endpoints (e.g., /v2beta/organizations/...) at a reverse proxy or Web Application Firewall (WAF) level. ### Questions If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected])
Affected packages (2)
- Go/github.com/zitadel/zitadel>= 4.0.0-rc.1, < 4.6.3
- Go/github.com/zitadel/zitadel>= 1.80.0-v2.20.0.20250414095945-f365cee73242, < 1.80.0-v2.20.0.20251105083648-8dcfff97ed52
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-64431
- PATCHhttps://github.com/zitadel/zitadel
- WEBhttps://github.com/zitadel/zitadel/commit/8dcfff97ed52a8b9fc77ecb1f972744f42cff3ed
- WEBhttps://github.com/zitadel/zitadel/releases/tag/v4.6.3
- WEBhttps://github.com/zitadel/zitadel/security/advisories/GHSA-cpf4-pmr4-w6cx