Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H for the improbable ID-recycling preconditions; PR:H because admin privileges are needed to provision users in both tenants; scope changed because impact crosses organizational boundaries.
Primary rating from Vendor (https://github.com/zitadel/zitadel).
CVSS VectorVendor: https://github.com/zitadel/zitadel
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original organization if the previous ID would be used to recreate it.
Impact
When a user is created, the system maps the generated or provided ID to its target organization (Org A). When that user is subsequently deleted, a deletion event is appended to the stream, but the historical mapping of the resource owner within the event store's validation layer is not cleared.
If a new user is later provisioned in a different organization (Org B) using that exact same ID, the event store validation logic reads the stream's history, matches it to the original organization, and routes the new user's events to Org A instead of Org B.
This issue represents a localized multi-tenancy isolation anomaly rather than an easily exploitable attack vector. Because the new user instance is incorrectly routed and provisioned inside Org A instead of Org B, an administrator from Org A inadvertently gains full access to this new user record.
However, there is no technical mechanism for a malicious actor to force, automate, or target this behavior against a specific user or tenant. Because the scenario relies entirely on an accidental sequence of operational events and requires the recycling of a highly specific ID space, the practical security risk is exceptionally low.
Affected Versions
Systems running one of the following versions are affected:
- 4.x:
4.0.0through4.15.1(including RC versions) - 3.x:
3.0.0through3.4.11(including RC versions)
Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.
Workarounds
The recommended solution is to upgrade to a patched version.
Questions
If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)
Credits
Thanks to Charlie Graven from Famedly for reporting this vulnerability.
AnalysisAI
Cross-tenant user record leakage in ZITADEL versions 4.0.0-4.15.1 and 3.0.0-3.4.11 allows an organization administrator to inadvertently gain full access to a user record provisioned in a different tenant due to stale aggregate-ID ownership mappings persisting in the event store after user deletion. When a new user is later provisioned in a separate organization using the same ID as a previously deleted user, the event store's owner-resolution logic retrieves the original organization's mapping and incorrectly routes all new provisioning events there. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three specific sequential conditions must all occur, none of which can be forced or automated by an attacker: first, a user must have been provisioned in Organization A with a specific aggregate ID; second, that user must have been subsequently deleted, appending a deletion event to the stream while leaving the historical owner mapping intact; third, a new user must be provisioned in a distinct Organization B using the exact same aggregate ID as the deleted user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is exceptionally low despite the multi-tenancy framing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An Org B administrator provisions a new user and - either by manually specifying a recycled ID or through an improbable system-level ID collision - assigns an ID previously associated with a deleted user in Org A. The ZITADEL event store resolves ownership to Org A based on the stale stream history and routes all provisioning events for the new user there. … |
| Remediation | Vendor-released patch: v4.15.2, available at https://github.com/zitadel/zitadel/releases/tag/v4.15.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42977
GHSA-6x8v-2fq5-2229