Skip to main content

ZITADEL EUVDEUVD-2026-42977

| CVE-2026-55670 LOW
Improper Access Control (CWE-284)
2026-06-18 https://github.com/zitadel/zitadel GHSA-6x8v-2fq5-2229
2.3
CVSS 4.0 · Vendor: https://github.com/zitadel/zitadel

Severity by source

Vendor (https://github.com/zitadel/zitadel) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.4 MEDIUM

AC:H for the improbable ID-recycling preconditions; PR:H because admin privileges are needed to provision users in both tenants; scope changed because impact crosses organizational boundaries.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/zitadel/zitadel).

CVSS VectorVendor: https://github.com/zitadel/zitadel

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 10, 2026 - 18:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
Jun 18, 2026 - 14:09 vuln.today
Analysis Generated
Jun 18, 2026 - 14:09 vuln.today

DescriptionCVE.org

Summary

A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original organization if the previous ID would be used to recreate it.

Impact

When a user is created, the system maps the generated or provided ID to its target organization (Org A). When that user is subsequently deleted, a deletion event is appended to the stream, but the historical mapping of the resource owner within the event store's validation layer is not cleared.

If a new user is later provisioned in a different organization (Org B) using that exact same ID, the event store validation logic reads the stream's history, matches it to the original organization, and routes the new user's events to Org A instead of Org B.

This issue represents a localized multi-tenancy isolation anomaly rather than an easily exploitable attack vector. Because the new user instance is incorrectly routed and provisioned inside Org A instead of Org B, an administrator from Org A inadvertently gains full access to this new user record.

However, there is no technical mechanism for a malicious actor to force, automate, or target this behavior against a specific user or tenant. Because the scenario relies entirely on an accidental sequence of operational events and requires the recycling of a highly specific ID space, the practical security risk is exceptionally low.

Affected Versions

Systems running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.15.1 (including RC versions)
  • 3.x: 3.0.0 through 3.4.11 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.

Workarounds

The recommended solution is to upgrade to a patched version.

Questions

If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)

Credits

Thanks to Charlie Graven from Famedly for reporting this vulnerability.

AnalysisAI

Cross-tenant user record leakage in ZITADEL versions 4.0.0-4.15.1 and 3.0.0-3.4.11 allows an organization administrator to inadvertently gain full access to a user record provisioned in a different tenant due to stale aggregate-ID ownership mappings persisting in the event store after user deletion. When a new user is later provisioned in a separate organization using the same ID as a previously deleted user, the event store's owner-resolution logic retrieves the original organization's mapping and incorrectly routes all new provisioning events there. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Operator specifies recycled user ID during provisioning in Org B
Delivery
Event store queries stream history for that aggregate ID
Exploit
Stale owner mapping resolves to Org A
Execution
New user's events routed to Org A instead of Org B
Impact
Org A admin gains inadvertent access to misrouted user record

Vulnerability AssessmentAI

Exploitation Three specific sequential conditions must all occur, none of which can be forced or automated by an attacker: first, a user must have been provisioned in Organization A with a specific aggregate ID; second, that user must have been subsequently deleted, appending a deletion event to the stream while leaving the historical owner mapping intact; third, a new user must be provisioned in a distinct Organization B using the exact same aggregate ID as the deleted user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is exceptionally low despite the multi-tenancy framing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An Org B administrator provisions a new user and - either by manually specifying a recycled ID or through an improbable system-level ID collision - assigns an ID previously associated with a deleted user in Org A. The ZITADEL event store resolves ownership to Org A based on the stale stream history and routes all provisioning events for the new user there. …
Remediation Vendor-released patch: v4.15.2, available at https://github.com/zitadel/zitadel/releases/tag/v4.15.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy