Skip to main content

OpenZiti CVE-2026-58165

| EUVDEUVD-2026-40371 HIGH
Missing Authorization (CWE-862)
2026-06-30 VulnCheck GHSA-c883-vc4m-3vc9
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Remote API call (AV:N) at low complexity (AC:L) requires an authenticated non-admin with delegated enrollment permission (PR:L) and no user interaction; redeeming the token yields full admin, so C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Jun 30, 2026 - 17:44 vuln.today
v5 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 17:43 vuln.today
Analysis Updated
Jun 30, 2026 - 17:43 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 17:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 17:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 17:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:15 vuln.today

DescriptionCVE.org

OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.

AnalysisAI

Privilege escalation in OpenZiti through 2.0.0 lets an authenticated non-admin identity that holds fine-grained enrollment-management permissions mint an enrollment for any identity - including the built-in default administrator - and then redeem the resulting one-time token via the unauthenticated client enrollment API to receive a client certificate that authenticates as that admin, granting full control of the controller and the entire zero-trust overlay. The root cause is a missing authorization check (CWE-862) in the enrollment creation path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as non-admin with enrollment-management permission
Delivery
Call create-enrollment targeting admin identity
Exploit
Controller mints one-time token (no authz check)
Execution
Redeem token at unauthenticated client enrollment API
Persist
Obtain client certificate as admin
Impact
Full administrative control of controller and overlay

Vulnerability AssessmentAI

Exploitation The attacker must already possess a valid, authenticated non-admin OpenZiti identity that has been granted fine-grained enrollment-management (entity-level enrollment create) permissions - this delegated permission is the exact prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All decision signals point to a genuine, high-priority issue rather than a high-CVSS paper risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a low-privileged OpenZiti identity that has been delegated enrollment-management permissions calls the controller's create-enrollment API specifying the default administrator's identity as the target; because no authorization check binds caller to target, the controller mints a one-time enrollment token for the admin. The attacker then redeems that token through the unauthenticated client API enrollment endpoint, obtains a client certificate authenticating as the admin, and gains full administrative control of the controller and overlay. …
Remediation Upgrade OpenZiti to the build containing the fix in commit 3027fdffd3e57884487b7c46e5e669cfbc8becdf (merged via pull request https://github.com/openziti/ziti/pull/4013); an upstream fix is available but the specific tagged released version was not provided, so confirm the exact patched release with the vendor before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all OpenZiti deployments and audit which users or service accounts hold enrollment-management permissions; assess exposure if untrusted or high-risk personnel possess these permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy