CVE-2026-32131
Received
Received - Intake
Information Disclosure in ZITADEL Management API via Low-Privilege Tokens
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenantβs project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zitadel | zitadel | to 3.4.8 (exc) |
| zitadel | zitadel | From 4.0.0 (inc) to 4.12.2 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
