CVE-2026-33132

MEDIUM
2026-03-18 https://github.com/zitadel/zitadel GHSA-g2pf-ww5m-2r9m
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 17:25 vuln.today
Patch Released
Mar 18, 2026 - 17:25 nvd
Patch available
CVE Published
Mar 18, 2026 - 17:25 nvd
MEDIUM 5.3

Tags

Authentication Bypass

Description

### Summary A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication. ### Impact Zitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `urn:zitadel:iam:org:domain:primary:{domainname}`). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. ### Affected Versions Systems running one of the following versions are affected: - **4.x**: `4.0.0` through `4.12.2` (including RC versions) - **3.x**: `3.0.0` through `3.4.8` (including RC versions) ### Patches The vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints ([CreateCallback](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.CreateCallback) and [Authorize or Deny Device Authorization](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.AuthorizeOrDenyDeviceAuthorization) endpoints). 4.x: Upgrade to >=[4.12.3](https://github.com/zitadel/zitadel/releases/tag/v4.12.3) 3.x: Update to >=[3.4.9](https://github.com/zitadel/zitadel/releases/tag/v3.4.9) ### Workarounds The recommended solution is to upgrade to a patched version. ### Questions If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected]) ### Credits Thanks to @motoki317 for reporting this vulnerability.

Analysis

Zitadel's OAuth2/OIDC implementation contains an authentication bypass vulnerability (CWE-863: Improper Authorization) that allows unauthenticated attackers to circumvent organization enforcement controls during login. Affected versions 3.0.0-3.4.8 and 4.0.0-4.12.2 fail to validate organization membership scopes in device authorization flows and all Login V2/OIDC API V2 endpoints, enabling attackers to authenticate with users from unauthorized organizations. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +26
POC: 0

Share

CVE-2026-33132 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy