Zitadel · Zitadel · CVE-2025-53895
**Name of the Vulnerable Software and Affected Versions**
ZITADEL versions prior to 4.0.0-rc.2
ZITADEL versions prior to 3.3.2
ZITADEL versions prior to 2.71.13
ZITADEL versions prior to 2.70.14
ZITADEL versions 2.53.0 through 3.3.1
**Description**
ZITADEL’s session management API has a flaw where an authenticated user can update a session knowing only its ID, due to a missing permission check. This enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources.
**Recommendations**
Update ZITADEL to version 4.0.0-rc.2 or later.
Update ZITADEL to version 3.3.2 or later.
Update ZITADEL to version 2.71.13 or later.
Update ZITADEL to version 2.70.14 or later.