CVE-2026-33132 in Zitadel
Summary
by MITRE • 03/20/2026
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33132 represents a critical authorization bypass flaw within the ZITADEL identity management platform that affects multiple version ranges including releases prior to 3.4.9 and versions 4.0.0 through 4.12.2. This security weakness specifically targets the organization enforcement mechanisms that ZITADEL implements to ensure users authenticate within the proper organizational context. The platform provides organizations with the capability to enforce organization-specific contexts during authentication through dedicated OAuth2 scopes such as urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname} which should restrict access to users belonging to specific organizational units. The vulnerability stems from inconsistent implementation of these enforcement controls across different authentication endpoints within the system architecture.
The technical flaw manifests in the incomplete application of organization enforcement controls during device authorization requests and all login V2 and OIDC API V2 endpoints. While the system properly implements these restrictions for OAuth2/OIDC authorization requests in login V1, the corresponding security controls fail to operate correctly in newer authentication pathways. This inconsistency creates a security gap where authenticated users can bypass the organization context requirements and gain access to systems or resources belonging to different organizations than their own. The flaw essentially allows privilege escalation through unauthorized cross-organizational access, enabling users to authenticate using credentials from one organization while accessing resources or services associated with another organization. This represents a direct violation of the principle of least privilege and organizational boundary enforcement that security-conscious applications require.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to perform lateral movement attacks within multi-tenant environments where organization isolation is critical. The affected authentication flows include device authorization requests which are commonly used in IoT scenarios and background applications where traditional browser-based authentication is not feasible. Additionally, the login V2 and OIDC API V2 endpoints represent modern authentication pathways that organizations increasingly rely upon for secure application integration. The vulnerability affects organizations that depend on ZITADEL's organization enforcement capabilities for access control, potentially allowing unauthorized users to access sensitive resources, data, or administrative functions belonging to other organizations within the same ZITADEL instance. This cross-organizational access bypass could lead to data breaches, privilege escalation, and unauthorized system modifications that compromise the security posture of all organizations sharing the platform.
Organizations should immediately implement mitigations including upgrading to patched versions 3.4.9 and 4.12.3 as specified in the advisory, while also conducting comprehensive security assessments of their authentication flows to identify any potential exploitation attempts. The vulnerability aligns with CWE-639 Access Control Bypass and follows ATT&CK techniques related to privilege escalation and lateral movement through authentication bypass. Security teams should monitor authentication logs for unusual patterns indicating cross-organizational access attempts and implement additional monitoring controls around the affected endpoints. The patch addresses the core issue by ensuring consistent enforcement of organization context requirements across all authentication pathways, thereby restoring the intended security boundaries within the ZITADEL platform and protecting multi-tenant environments from unauthorized cross-organizational access.