CVE-2026-33132
Received Received - Intake
Authentication Bypass in ZITADEL Due to Missing Org Enforcement

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33132
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 3.4.9 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.12.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33132 is a security vulnerability in Zitadel, an open source identity management platform. The issue arises because Zitadel did not properly enforce organization scopes during certain authentication flows, specifically device authorization requests and all login V2 and OIDC API V2 endpoints.

Normally, Zitadel uses organization scopes (like urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}) to restrict sign-in to users belonging to a specific organization. While this enforcement worked correctly in OAuth2/OIDC authorization requests for login V1, it was missing in other flows, allowing users to bypass these restrictions.

This flaw allowed users to authenticate as members of other organizations without proper authorization, effectively bypassing organization membership checks during authentication.

The vulnerability was fixed by adding comprehensive checks to validate organization existence and enforce that user sessions belong to the correct organization across all affected flows.

Impact Analysis

This vulnerability can allow unauthorized users to bypass organization membership restrictions during authentication, enabling them to sign in as users from other organizations.

As a result, an attacker could gain access to resources or services intended only for members of a specific organization, potentially leading to unauthorized access to sensitive information.

However, applications that rely on authorization or role assignments beyond the organization check are not affected by this bypass.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 5.3, indicating a network-exploitable issue with low complexity and no required privileges or user interaction.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves improper enforcement of organization scopes during device authorization and OIDC flows in Zitadel, allowing users to bypass organization membership restrictions.

Detection would involve verifying whether authorization requests and device authorization flows properly enforce organization scopes such as urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}.

Since the issue is related to missing validation in authorization requests and session handling, detection could include monitoring authorization requests for missing or bypassed organization scope checks.

No specific commands or network detection tools are provided in the available resources to detect this vulnerability on your system or network.

Mitigation Strategies

The primary mitigation step is to upgrade Zitadel to a patched version where the vulnerability is fixed.

  • Upgrade to version 3.4.9 or later if using the 3.x series.
  • Upgrade to version 4.12.3 or later if using the 4.x series.

These versions include fixes that enforce organization scopes during device authorization and OIDC flows, preventing unauthorized cross-organization access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart