CVE-2026-32131

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 3.4.8 ZITADEL versions prior to 4.12.2

Description ZITADEL is an open source identity management platform. A flaw exists in the Management API that allows authenticated users with a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to access management-plane information from other organizations. This is achieved by specifying the project id, grant id, or app id of a different tenant through the API. The API endpoints involved are not explicitly specified.

Recommendations Update to ZITADEL version 3.4.8 or later. Update to ZITADEL version 4.12.2 or later.