CVE-2026-33132 in Zitadelinfo

Zusammenfassung

von MITRE • 20.03.2026

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

17.03.2026

Veröffentlichung

20.03.2026

Moderieren

akzeptiert

Eintrag

VDB-352062

CPE

bereit

CWE

CWE-863 (bestätigt)

CVSS

5.3 (CNA)

EPSS

0.00077

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-33132
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-33132
CVE Details	https://www.cvedetails.com/cve/CVE-2026-33132/

◂ Zurück Übersicht Weiter ▸

Interested in the pricing of exploits?

See the underground prices here!