Red Hat CVE-2026-33132
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.
Impact
Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in.
While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations.
Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass.
Affected Versions
Systems running one of the following versions are affected:
- 4.x:
4.0.0through4.12.2(including RC versions) - 3.x:
3.0.0through3.4.8(including RC versions)
Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints (CreateCallback and Authorize or Deny Device Authorization endpoints).
4.x: Upgrade to >=4.12.3 3.x: Update to >=3.4.9
Workarounds
The recommended solution is to upgrade to a patched version.
Questions
If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)
Credits
Thanks to @motoki317 for reporting this vulnerability.
AnalysisAI
Zitadel's OAuth2/OIDC implementation contains an authentication bypass vulnerability (CWE-863: Improper Authorization) that allows unauthenticated attackers to circumvent organization enforcement controls during login. Affected versions 3.0.0-3.4.8 and 4.0.0-4.12.2 fail to validate organization membership scopes in device authorization flows and all Login V2/OIDC API V2 endpoints, enabling attackers to authenticate with users from unauthorized organizations. While the CVSS score of 5.3 indicates low-to-moderate severity with confidentiality impact only, the attack requires no privileges or user interaction and operates over the network, making it a practical concern for multi-tenant deployments.
Technical ContextAI
Zitadel is an open-source identity and access management platform written in Go (CPE: pkg:go/github.com_zitadel_zitadel) that implements OAuth2 and OpenID Connect protocols. The vulnerability resides in the OAuth2/OIDC interface's scope enforcement mechanism. Zitadel provides reserved scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}) to enforce organization context during authentication. The root cause (CWE-863: Improper Authorization) stems from inconsistent validation logic: while Login V1 properly enforced organization membership for standard authorization requests, the corresponding checks were omitted from device authorization grant flows and the newer Login V2 and OIDC Service API V2 endpoints (CreateCallback and AuthorizeOrDenyDeviceAuthorization). This allows an attacker to craft requests that bypass the intended organization isolation controls.
RemediationAI
Immediately upgrade to Zitadel version 4.12.3 or later (4.x branch) or version 3.4.9 or later (3.x branch). Both patched releases validate provided scopes and enforce organization existence during authorization requests, and prevent sessions of users not belonging to the required organization from being used on CreateCallback and AuthorizeOrDenyDeviceAuthorization endpoints. Patches are available at https://github.com/zitadel/zitadel/releases/tag/v4.12.3 and https://github.com/zitadel/zitadel/releases/tag/v3.4.9. Until patching is feasible, implement network-level access controls to restrict OAuth2/OIDC endpoints to trusted clients, enforce TLS/HTTPS for all identity provider communications, and audit authentication logs for cross-organization login attempts. Applications already enforcing additional authorization checks via roles or permissions will retain some protection but should not rely on this as a substitute for upgrading.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-g2pf-ww5m-2r9m