CVE-2026-55670 in ZITADELinfo

Summary

by MITRE • 07/10/2026

ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists within ZITADEL's event store validation mechanism, which governs how identity management events are processed and stored within the system. The flaw represents a critical logical error in the platform's resource ownership tracking system where deleted user identifiers maintain their association with the original organization even after deletion. When administrators delete a user account, the system fails to properly dissociate the user identifier from its original organizational context, creating a persistent link that can be exploited by malicious actors or unauthorized personnel.

The technical implementation of this vulnerability stems from inadequate cleanup procedures within ZITADEL's event store architecture. When a user is deleted, the system should completely sever all associations between the user identifier and the original organization's administrative context. However, the validation logic retains reference pointers that allow subsequent recreation of users with identical identifiers to inherit properties from the original organizational context. This behavior violates fundamental security principles of isolation and access control enforcement within identity management systems.

The operational impact of this vulnerability extends beyond simple data exposure to encompass serious organizational security implications. An attacker who gains access to a deleted user identifier could potentially recreate that user in a different organization, thereby gaining unauthorized administrative access to resources within the original organization. This creates a scenario where compromised identifiers can be leveraged across multiple organizations, effectively bypassing the intended isolation mechanisms that separate different organizational contexts within ZITADEL's multi-tenant architecture. The vulnerability essentially allows for cross-organization privilege escalation through identifier reuse.

The security implications align with CWE-284 Access Control Bypass and ATT&CK technique T1078 Valid Accounts, where attackers can leverage valid but improperly managed account identifiers to gain unauthorized access. Organizations using affected versions of ZITADEL face significant risks including potential data breaches, unauthorized administrative access, and compromise of sensitive organizational information. The vulnerability specifically affects the system's ability to maintain proper separation between organizations, undermining the core multi-tenant security model.

Mitigation strategies should include immediate upgrade to version 4.15.2 which addresses this validation flaw through enhanced cleanup procedures in the event store. Organizations should also implement monitoring for unauthorized user recreation attempts and conduct thorough audits of deleted user identifiers to ensure proper dissociation from original organizational contexts. Additional defensive measures may involve implementing stricter access controls around user creation and deletion operations, as well as regular security assessments of identity management systems to identify similar logical flaws in resource ownership tracking mechanisms.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!