CVE-2026-33132
Authentication Bypass in ZITADEL Due to Missing Org Enforcement
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zitadel | zitadel | to 3.4.9 (exc) |
| zitadel | zitadel | From 4.0.0 (inc) to 4.12.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33132 is a security vulnerability in Zitadel, an open source identity management platform. The issue arises because Zitadel did not properly enforce organization scopes during certain authentication flows, specifically device authorization requests and all login V2 and OIDC API V2 endpoints.
Normally, Zitadel uses organization scopes (like urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}) to restrict sign-in to users belonging to a specific organization. While this enforcement worked correctly in OAuth2/OIDC authorization requests for login V1, it was missing in other flows, allowing users to bypass these restrictions.
This flaw allowed users to authenticate as members of other organizations without proper authorization, effectively bypassing organization membership checks during authentication.
The vulnerability was fixed by adding comprehensive checks to validate organization existence and enforce that user sessions belong to the correct organization across all affected flows.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to bypass organization membership restrictions during authentication, enabling them to sign in as users from other organizations.
As a result, an attacker could gain access to resources or services intended only for members of a specific organization, potentially leading to unauthorized access to sensitive information.
However, applications that rely on authorization or role assignments beyond the organization check are not affected by this bypass.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 5.3, indicating a network-exploitable issue with low complexity and no required privileges or user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves improper enforcement of organization scopes during device authorization and OIDC flows in Zitadel, allowing users to bypass organization membership restrictions.
Detection would involve verifying whether authorization requests and device authorization flows properly enforce organization scopes such as urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}.
Since the issue is related to missing validation in authorization requests and session handling, detection could include monitoring authorization requests for missing or bypassed organization scope checks.
No specific commands or network detection tools are provided in the available resources to detect this vulnerability on your system or network.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Zitadel to a patched version where the vulnerability is fixed.
- Upgrade to version 3.4.9 or later if using the 3.x series.
- Upgrade to version 4.12.3 or later if using the 4.x series.
These versions include fixes that enforce organization scopes during device authorization and OIDC flows, preventing unauthorized cross-organization access.