How to fix CVE-2025-27507?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Is Zitadel affected by CVE-2025-27507?

Organizations using open-source identity infrastructure software Zitadel face critical risk from CVE-2025-27507, a IDOR vulnerability rated CVSS 9.0. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.

CVE-2025-27507

CRITICAL

2025-03-04 [email protected]

9.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:29 vuln.today

Patch Released

Mar 28, 2026 - 18:29 nvd

Patch available

CVE Published

Mar 04, 2025 - 17:15 nvd

CRITICAL 9.0

Description

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.

Analysis

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.

Technical Context

This vulnerability is classified under CWE-639. The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8. Affected products include: Zitadel.

Affected Products

Zitadel.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +45

POC: 0

Vendor Status

CVE-2025-27507 vulnerability details – vuln.today

Back

CVE-2025-27507

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-27507

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code