Skip to main content

Red Hat CVE-2026-33132

MEDIUM
Incorrect Authorization (CWE-863)
2026-03-18 https://github.com/zitadel/zitadel GHSA-g2pf-ww5m-2r9m
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 17:25 vuln.today
Patch released
Mar 18, 2026 - 17:25 nvd
Patch available
CVE Published
Mar 18, 2026 - 17:25 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.

Impact

Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in.

While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations.

Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass.

Affected Versions

Systems running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.12.2 (including RC versions)
  • 3.x: 3.0.0 through 3.4.8 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints (CreateCallback and Authorize or Deny Device Authorization endpoints).

4.x: Upgrade to >=4.12.3 3.x: Update to >=3.4.9

Workarounds

The recommended solution is to upgrade to a patched version.

Questions

If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)

Credits

Thanks to @motoki317 for reporting this vulnerability.

AnalysisAI

Zitadel's OAuth2/OIDC implementation contains an authentication bypass vulnerability (CWE-863: Improper Authorization) that allows unauthenticated attackers to circumvent organization enforcement controls during login. Affected versions 3.0.0-3.4.8 and 4.0.0-4.12.2 fail to validate organization membership scopes in device authorization flows and all Login V2/OIDC API V2 endpoints, enabling attackers to authenticate with users from unauthorized organizations. While the CVSS score of 5.3 indicates low-to-moderate severity with confidentiality impact only, the attack requires no privileges or user interaction and operates over the network, making it a practical concern for multi-tenant deployments.

Technical ContextAI

Zitadel is an open-source identity and access management platform written in Go (CPE: pkg:go/github.com_zitadel_zitadel) that implements OAuth2 and OpenID Connect protocols. The vulnerability resides in the OAuth2/OIDC interface's scope enforcement mechanism. Zitadel provides reserved scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}) to enforce organization context during authentication. The root cause (CWE-863: Improper Authorization) stems from inconsistent validation logic: while Login V1 properly enforced organization membership for standard authorization requests, the corresponding checks were omitted from device authorization grant flows and the newer Login V2 and OIDC Service API V2 endpoints (CreateCallback and AuthorizeOrDenyDeviceAuthorization). This allows an attacker to craft requests that bypass the intended organization isolation controls.

RemediationAI

Immediately upgrade to Zitadel version 4.12.3 or later (4.x branch) or version 3.4.9 or later (3.x branch). Both patched releases validate provided scopes and enforce organization existence during authorization requests, and prevent sessions of users not belonging to the required organization from being used on CreateCallback and AuthorizeOrDenyDeviceAuthorization endpoints. Patches are available at https://github.com/zitadel/zitadel/releases/tag/v4.12.3 and https://github.com/zitadel/zitadel/releases/tag/v3.4.9. Until patching is feasible, implement network-level access controls to restrict OAuth2/OIDC endpoints to trusted clients, enforce TLS/HTTPS for all identity provider communications, and audit authentication logs for cross-organization login attempts. Applications already enforcing additional authorization checks via roles or permissions will retain some protection but should not rely on this as a substitute for upgrading.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy