CVE-2024-46999

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 2.54.10 Zitadel versions from 2.55.0 through 2.55.7 Zitadel versions from 2.56.0 through 2.56.5 Zitadel versions from 2.57.0 through 2.57.4 Zitadel versions from 2.58.0 through 2.58.4 Zitadel versions from 2.59.0 through 2.59.2 Zitadel versions from 2.60.0 through 2.60.1 Zitadel versions from 2.61.0 through 2.61.0 Zitadel versions from 2.62.0 through 2.62.0

Description Zitadel is an open source identity management platform. The user grants deactivation mechanism did not work correctly, allowing deactivated user grants to be provided in tokens. This could lead to unauthorized access to applications and resources. The management and auth API always returned the state as active or did not provide any information about the state.

Recommendations For versions prior to 2.54.10, upgrade to version 2.54.10 or later. For versions from 2.55.0 through 2.55.7, upgrade to version 2.55.8 or later. For versions from 2.56.0 through 2.56.5, upgrade to version 2.56.6 or later. For versions from 2.57.0 through 2.57.4, upgrade to version 2.57.5 or later. For versions from 2.58.0 through 2.58.4, upgrade to version 2.58.5 or later. For versions from 2.59.0 through 2.59.2, upgrade to version 2.59.3 or later. For versions from 2.60.0 through 2.60.1, upgrade to version 2.60.2 or later. For versions from 2.61.0 through 2.61.0, upgrade to version 2.61.1 or later. For versions from 2.62.0 through 2.62.0, upgrade to version 2.62.1 or later. As a temporary workaround, users unable to upgrade may explicitly remove the user grants to prevent unauthorized access.