CVE-2022-36051

Name of the Vulnerable Software and Affected Versions ZITADEL versions 1.42.0 through 1.87.0 ZITADEL versions 1.56.0 through 1.87.0 ZITADEL version 2.x prior to 2.2.0

Description The issue is related to a missing authorization check in the Actions feature, introduced in ZITADEL 1.42.0 on the API and 1.56.0 for Console. This feature allows users with the role ORG OWNER to create Javascript Code, which is invoked by the system at certain points during the login. The Actions feature allows creating authorizations (user grants) on newly created users programmatically. Due to the missing authorization check, Actions were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this issue.

Recommendations For ZITADEL versions 1.42.0 through 1.87.0, update to version 1.87.1 or later. For ZITADEL versions 1.56.0 through 1.87.0, update to version 1.87.1 or later. For ZITADEL version 2.x prior to 2.2.0, update to version 2.2.0 or later. As a temporary workaround, consider disabling the Actions feature until a patch is available. Restrict access to the Actions feature to minimize the risk of exploitation.