CVE-2025-46815

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 3.0.0 ZITADEL versions prior to 2.71.9 ZITADEL versions prior to 2.70.10

Description The issue concerns the Session API in ZITADEL, which allows developers to manage user sessions and use IdPs for authentication through idp intents. After a successful idp intent, the client receives an id and token on a predefined URI, which can be used for authentication. However, an attacker with access to the application's URI could exploit this feature by repeatedly using intents to retrieve the id and token, enabling them to authenticate on behalf of the user. The use of additional factors, such as MFA, prevents a complete authentication process and access to the ZITADEL API.

Recommendations For versions prior to 3.0.0, update to version 3.0.0 or later. For versions prior to 2.71.9, update to version 2.71.9 or later. For versions prior to 2.70.10, update to version 2.70.10 or later.