N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-cpf4-pmr4-w6cx

GHSA-cpf4-pmr4-w6cx: IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering

Summary

ZITADEL's Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations.

Impact

ZITADEL's Organization V2Beta API, intended for managing ZITADEL organizations, contains multiple endpoints that fail to properly authorize authenticated users. An attacker with an administrator role for a specific organization could exploit this to bypass access controls and perform unauthorized actions on other organizations within the same ZITADEL instance.

This could allow an attacker to:

Read organization data, including the name, domains and metadata.
Manipulate (modify) the corresponding organization data.
Delete the corresponding data, up to and including the entire organization.

Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected.

Affected Versions

Systems running one of the following versions are affected:

v4.x: 4.0.0-rc.1 through 4.6.2

Patches

The vulnerability has been addressed in the latest release. The patch resolves the issue by correctly validating the caller's permission against the target organization.

v4.x: Upgrade to version 4.6.3 or later.

Workarounds

Upgrading to a patched version is the recommended solution.

If an immediate upgrade is not possible, mitigation can be achieved by disabling the affected Organization V2Beta API endpoints (e.g., /v2beta/organizations/...) at a reverse proxy or Web Application Firewall (WAF) level.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-cpf4-pmr4-w6cx

GHSA-cpf4-pmr4-w6cx:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel	go	>= 4.0.0-rc.1, < 4.6.2	4.6.3
github.com/zitadel/zitadel	go	>= 1.80.0-v2.20.0.20250414095945-f365cee73242, < 1.80.0-v2.20.0.20251105083648-8dcfff97ed52	1.80.0-v2.20.0.20251105083648-8dcfff97ed52

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an Insecure Direct Object Reference (IDOR) in ZITADEL's Organization V2Beta API. The analysis of the patch commit 8dcfff97ed52a8b9fc77ecb1f972744f42cff3ed reveals that multiple methods in the gRPC server implementation for the organization service were missing authorization checks. An authenticated user with administrator privileges in one organization could specify the ID of another organization in the API requests and perform actions on it without proper authorization.

The patch addresses this by introducing a permissionCheck function argument to the underlying business logic functions in the internal/command package. This check is then passed down from the gRPC handler. The gRPC handlers in internal/api/grpc/org/v2beta/org.go and internal/api/grpc/org/v2/org.go were modified to include these new permission checks (e.g., CheckPermissionOrganizationWrite, CheckPermissionOrganizationDelete).

The vulnerable functions are the public gRPC methods that were modified to include these checks. Before the patch, these functions would process requests without verifying if the caller had the necessary permissions for the target organization, leading to the IDOR vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-cpf4-pmr4-w6cx: IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

GHSA-cpf4-pmr4-w6cx:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

GHSA-cpf4-pmr4-w6cx: IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering

Summary

Impact

Affected Versions

Patches

Workarounds

Questions

N/A

N/A

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI