Livio-A

**Name of the Vulnerable Software and Affected Versions** ZITADEL versions prior to 3.4.7 ZITADEL versions prior to 4.11.1 **Description** ZITADEL, an open source identity management platform, had a flaw in its self-management feature. This allowed users to falsely mark their email and phone as verified without completing the verification process. The issue was addressed by enforcing proper permission checks when setting the verification flag and restricting self-management to the email address and/or phone number itself. **Recommendations** Upgrade to ZITADEL version 3.4.7 or later. Upgrade to ZITADEL version 4.11.1 or later. If an upgrade is not possible, utilize an action (v2) to prevent setting the verification flag on user accounts.

**Name of the Vulnerable Software and Affected Versions** ZITADEL versions prior to 4.0.0-rc.2 ZITADEL versions prior to 3.3.2 ZITADEL versions prior to 2.71.13 ZITADEL versions prior to 2.70.14 ZITADEL versions 2.53.0 through 3.3.1 **Description** ZITADEL’s session management API has a flaw where an authenticated user can update a session knowing only its ID, due to a missing permission check. This enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. **Recommendations** Update ZITADEL to version 4.0.0-rc.2 or later. Update ZITADEL to version 3.3.2 or later. Update ZITADEL to version 2.71.13 or later. Update ZITADEL to version 2.70.14 or later.

**Name of the Vulnerable Software and Affected Versions** Zitadel versions prior to 2.54.10 Zitadel versions from 2.55.0 through 2.55.7 Zitadel versions from 2.56.0 through 2.56.5 Zitadel versions from 2.57.0 through 2.57.4 Zitadel versions from 2.58.0 through 2.58.4 Zitadel versions from 2.59.0 through 2.59.2 Zitadel versions from 2.60.0 through 2.60.1 Zitadel versions from 2.61.0 through 2.61.0 Zitadel versions from 2.62.0 through 2.62.0 **Description** Zitadel is an open source identity management platform. The user grants deactivation mechanism did not work correctly, allowing deactivated user grants to be provided in tokens. This could lead to unauthorized access to applications and resources. The management and auth API always returned the state as active or did not provide any information about the state. **Recommendations** For versions prior to 2.54.10, upgrade to version 2.54.10 or later. For versions from 2.55.0 through 2.55.7, upgrade to version 2.55.8 or later. For versions from 2.56.0 through 2.56.5, upgrade to version 2.56.6 or later. For versions from 2.57.0 through 2.57.4, upgrade to version 2.57.5 or later. For versions from 2.58.0 through 2.58.4, upgrade to version 2.58.5 or later. For versions from 2.59.0 through 2.59.2, upgrade to version 2.59.3 or later. For versions from 2.60.0 through 2.60.1, upgrade to version 2.60.2 or later. For versions from 2.61.0 through 2.61.0, upgrade to version 2.61.1 or later. For versions from 2.62.0 through 2.62.0, upgrade to version 2.62.1 or later. As a temporary workaround, users unable to upgrade may explicitly remove the user grants to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Zitadel versions prior to 2.54.10 Zitadel versions 2.55.0 through 2.55.7 Zitadel versions 2.56.0 through 2.56.5 Zitadel versions 2.57.0 through 2.57.4 Zitadel versions 2.58.0 through 2.58.4 Zitadel versions 2.59.0 through 2.59.2 Zitadel versions 2.60.0 through 2.60.1 Zitadel versions 2.61.0 through 2.61.0 Zitadel versions 2.62.0 through 2.62.0 **Description** Zitadel's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. **Recommendations** Upgrade to version 2.54.10 or later. For versions prior to 2.54.10, consider creating new credentials and replacing the old ones wherever they are used. Revoke all existing authentication keys associated with the service account. Rotate the service account's password. At the moment, there is no information about other versions that contain a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zitadel versions prior to 2.53.9 Zitadel versions prior to 2.54.8 Zitadel versions prior to 2.55.5 Zitadel versions prior to 2.56.2 Zitadel versions prior to 2.57.1 Zitadel versions prior to 2.58.1 **Description** Zitadel is an open source identity management system. The system has a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess or enumerate usernames. If enabled, Zitadel will show the password prompt even if the user doesn't exist and report "Username or Password invalid". However, due to an implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases, and an attacker would gain information if an account exists within Zitadel, since the error message shows "object not found" instead of the generic error message. **Recommendations** Update to version 2.53.9 or later for Zitadel 2.53.x versions Update to version 2.54.8 or later for Zitadel 2.54.x versions Update to version 2.55.5 or later for Zitadel 2.55.x versions Update to version 2.56.2 or later for Zitadel 2.56.x versions Update to version 2.57.1 or later for Zitadel 2.57.x versions Update to version 2.58.1 or later for Zitadel 2.58.x versions