CVE-2026-33132

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 3.4.9 ZITADEL versions 4.0.0 through 4.12.2

Description ZITADEL, an open source identity management platform, had a flaw where organization enforcement during authentication could be bypassed. The platform uses scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}) to enforce an organization context during authentication. This enforcement was properly implemented for OAuth2/OIDC authorization requests in login V1, but was missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to sign in with accounts from other organizations. The issue did not affect applications relying on authorizations or role assignments. The vulnerability was addressed by validating provided scopes and enforcing organization existence when processing authorization requests, and by preventing the use of sessions from users not belonging to the required organization on the OIDC service endpoints, specifically the CreateCallback and AuthorizeOrDenyDeviceAuthorization API Endpoints.

Recommendations Versions prior to 3.4.9: Update to version 3.4.9 or later. Versions 4.0.0 through 4.12.2: Update to version 4.12.3 or later.