CVE-2025-64717

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.50.0 through 2.71.18 ZITADEL versions 3.0.0-rc.1 through 3.4.3 ZITADEL versions 4.0.0-rc.1 through 4.6.5

Description ZITADEL, an open source identity management platform, has a flaw in its federation process. This issue allows the auto-linking of users from external identity providers to existing ZITADEL users, even when the corresponding identity provider is inactive or federation is disallowed by the organization. The platform incorrectly validates login attempts and links external identities to internal accounts based on matching criteria. This can lead to Account Takeover, bypassing security controls. Accounts with Multi-Factor Authentication (MFA) enabled are not susceptible to this issue. The problem occurs only with identity providers created at the instance level, not those registered on other organizations.

Recommendations ZITADEL versions 2.50.0 through 2.71.18: Upgrade to version 2.71.19 or later. ZITADEL versions 3.0.0-rc.1 through 3.4.3: Update to version 3.4.4 or later. ZITADEL versions 4.0.0-rc.1 through 4.6.5: Upgrade to version 4.6.6 or later.