CVE-2026-32131

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 3.4.8 ZITADEL versions prior to 4.12.2

Description ZITADEL is an open source identity management platform. A flaw exists in the Management API that allows authenticated users with a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to access management-plane information from other organizations. This is achieved by specifying the project id, grant id, or app id of a different tenant through the API. The API endpoints involved are not explicitly specified.

Recommendations Update to ZITADEL version 3.4.8 or later. Update to ZITADEL version 4.12.2 or later.

Exploit

Fix

Missing Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-639

Related Identifiers

CVE-2026-32131

GHSA-WR6R-59XG-4PJ2

Affected Products

Zitadel

CVE-2026-32131

Weakness Enumeration

Related Identifiers

Affected Products

References · 8