CVE-2026-33132 (GCVE-0-2026-33132)

Vulnerability from cvelistv5 – Published: 2026-03-20 10:21 – Updated: 2026-03-20 19:31
VLAI?
Title
ZITADEL is missing enforcement of organization scopes
Summary
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.12.3
Affected: >= 3.0.0-rc.1, < 3.4.9
Affected: < 1.80.0-v2.20.0.20260317120401-d90285929ca0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33132",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T19:30:52.294049Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T19:31:30.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zitadel",
          "vendor": "zitadel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-rc.1, \u003c 4.12.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-rc.1, \u003c 3.4.9"
            },
            {
              "status": "affected",
              "version": "\u003c 1.80.0-v2.20.0.20260317120401-d90285929ca0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T10:21:19.373Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m"
        },
        {
          "name": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8"
        },
        {
          "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9"
        },
        {
          "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3"
        }
      ],
      "source": {
        "advisory": "GHSA-g2pf-ww5m-2r9m",
        "discovery": "UNKNOWN"
      },
      "title": "ZITADEL is missing enforcement of organization scopes"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33132",
    "datePublished": "2026-03-20T10:21:19.373Z",
    "dateReserved": "2026-03-17T20:35:49.928Z",
    "dateUpdated": "2026-03-20T19:31:30.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33132\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T11:18:02.857\",\"lastModified\":\"2026-03-23T18:06:26.590\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.\"},{\"lang\":\"es\",\"value\":\"ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Las versiones anteriores a la 3.4.9 y de la 4.0.0 a la 4.12.2 permit\u00edan a los usuarios eludir la aplicaci\u00f3n de la organizaci\u00f3n durante la autenticaci\u00f3n. Zitadel permite a las aplicaciones aplicar un contexto de organizaci\u00f3n durante la autenticaci\u00f3n utilizando \u00e1mbitos (urn:zitadel:iam:org:id:{id} y urn:zitadel:iam:org:domain:primary:{domainname}). Si se aplica, un usuario necesita ser parte de la organizaci\u00f3n requerida para iniciar sesi\u00f3n. Aunque esto se aplicaba correctamente para las solicitudes de autorizaci\u00f3n de OAuth2/OIDC en el inicio de sesi\u00f3n V1, faltaban controles correspondientes para las solicitudes de autorizaci\u00f3n de dispositivos y todos los puntos finales de inicio de sesi\u00f3n V2 y OIDC API V2. Esto permit\u00eda a los usuarios eludir la restricci\u00f3n e iniciar sesi\u00f3n con usuarios de otras organizaciones. Tenga en cuenta que esta aplicaci\u00f3n permite una verificaci\u00f3n adicional durante la autenticaci\u00f3n y las aplicaciones que dependen de autorizaciones / asignaciones de roles no se ven afectadas por esta elusi\u00f3n. Este problema ha sido parcheado en las versiones 3.4.9 y 4.12.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.4.9\",\"matchCriteriaId\":\"CB64A72E-A1E9-444E-B028-AFDFD32EDEFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.12.3\",\"matchCriteriaId\":\"3282FDC0-7B0C-494E-8F6D-A497EC96E5EE\"}]}]}],\"references\":[{\"url\":\"https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/zitadel/zitadel/releases/tag/v3.4.9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/zitadel/zitadel/releases/tag/v4.12.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33132\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T19:30:52.294049Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T19:31:19.110Z\"}}], \"cna\": {\"title\": \"ZITADEL is missing enforcement of organization scopes\", \"source\": {\"advisory\": \"GHSA-g2pf-ww5m-2r9m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"zitadel\", \"product\": \"zitadel\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-rc.1, \u003c 4.12.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-rc.1, \u003c 3.4.9\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.80.0-v2.20.0.20260317120401-d90285929ca0\"}]}], \"references\": [{\"url\": \"https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m\", \"name\": \"https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8\", \"name\": \"https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/zitadel/zitadel/releases/tag/v3.4.9\", \"name\": \"https://github.com/zitadel/zitadel/releases/tag/v3.4.9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/zitadel/zitadel/releases/tag/v4.12.3\", \"name\": \"https://github.com/zitadel/zitadel/releases/tag/v4.12.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T10:21:19.373Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33132\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T19:31:30.207Z\", \"dateReserved\": \"2026-03-17T20:35:49.928Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T10:21:19.373Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.