CVE-2026-58165
Received Received - Intake

Privilege Escalation in OpenZiti Controller

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58165
EUVD
EUVD-2026-40371

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openziti openziti to 2.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58165 is a privilege escalation vulnerability in OpenZiti versions up to 2.0.0 that allows authenticated non-admin users with enrollment management permissions to create enrollments for any identity, including the default administrator.

The root cause is that the ApplyCreate function in the enrollment manager only verifies that the target identity exists but does not check if the caller is authorized to create enrollments for that identity.

An attacker with these permissions can generate a one-time token for an admin identity and redeem it through an unauthenticated client API enrollment endpoint to obtain a client certificate. This certificate authenticates the attacker as the admin, granting full administrative control over the OpenZiti controller and the zero-trust overlay it manages.

Impact Analysis

This vulnerability can have severe impacts by allowing an attacker to escalate their privileges from a non-admin user to full administrative control.

  • The attacker can create enrollments for any identity, including admins.
  • They can generate and redeem one-time tokens to obtain admin-level client certificates.
  • With admin privileges, the attacker gains full management API access, enabling persistent control over the system.
  • They can create additional admin identities or escalate other non-admin identities.

Overall, this leads to complete compromise of the OpenZiti controller and the zero-trust overlay it manages.

Detection Guidance

Detection of this vulnerability involves identifying whether non-admin identities with enrollment permissions can create enrollments for admin identities. Since the vulnerability allows exploitation via specific API endpoints, monitoring or testing calls to the POST /edge/management/v1/enrollments endpoint and the unauthenticated POST /edge/client/v1/enroll/ott endpoint can help detect attempts or successful exploitation.

Commands or methods to detect this vulnerability may include:

  • Review API logs for POST requests to /edge/management/v1/enrollments made by non-admin users.
  • Check for creation of enrollments linked to admin identities by non-admin users.
  • Attempt to use a non-admin account with enrollment permissions to create an enrollment for an admin identity and observe if the system allows it.
  • Monitor for usage of one-time tokens redeemed via POST /edge/client/v1/enroll/ott that result in admin-level client certificates.
Mitigation Strategies

Immediate mitigation steps include:

  • Restrict or revoke enrollment permissions from non-admin identities until the vulnerability is patched.
  • Apply the security patch that fixes this vulnerability, specifically the commit 3027fdf or the updates from Pull Request #4013.
  • Ensure that the enrollment router enforces strict authorization checks preventing non-admin users from creating, reading, refreshing, or deleting enrollments for admin identities.
  • Filter admin identity enrollments from enrollment lists accessible to non-admin users.
  • Audit current enrollments and revoke any suspicious or unauthorized admin enrollments created by non-admin users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart