CVE-2025-64431
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zitadel | zitadel | 4.6.2 |
| zitadel | zitadel | 4.6.3 |
| zitadel | zitadel | 4.0.0-rc.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a secure Direct Object Reference (IDOR) issue in Zitadel versions 4.0.0-rc.1 through 4.6.2. It allows authenticated users with certain administrator roles within one organization to access and modify organization-level data (such as name, domains, and metadata) of other organizations through the V2Beta API. Other data like users, projects, and applications are not affected. The vulnerability is fixed in version 4.6.3.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized access and modification of organization-level data by administrators from other organizations. This could lead to data integrity issues, unauthorized changes to organization names, domains, or metadata, potentially causing confusion, misrepresentation, or disruption of services tied to that data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Zitadel to version 4.6.3 or later, as this version contains the fix for the secure Direct Object Reference (IDOR) vulnerability in the V2Beta API. Additionally, review and restrict administrator roles within organizations to minimize exposure until the upgrade is applied.