CVE-2026-55670
Deferred Deferred - Pending Action

Privilege Escalation in ZITADEL Identity Platform

Vulnerability report for CVE-2026-55670, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 4.15.2 (exc)
zitadel zitadel From 3.0.0 (inc) to 3.4.11 (inc)
zitadel zitadel to 4.15.1 (exc)
zitalel zitalel to 4.15.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55670 is a vulnerability in ZITADEL versions prior to 4.15.2 where the event store retains the original resource owner for a deleted user identifier. If a new user is created in a different organization using the same identifier as the deleted user, the system incorrectly associates the new user with the original organization. This causes the new user to be provisioned under the original organization and exposed to that organization's administrators.

The root cause is that the eventstore's handling of resource owners was implicit and did not allow explicit control per command or event type, leading to unsafe overwrites of aggregate owners when creating events for reusable aggregates.

The vulnerability is classified as a localized multi-tenancy isolation anomaly with low practical security risk due to the high complexity of exploitation and specific operational conditions required.

Impact Analysis

This vulnerability can lead to cross-tenant user leakage where a new user created with a recycled identifier in a different organization is mistakenly provisioned under the original organization.

As a result, administrators of the original organization gain unintended access to the new user's records, potentially exposing sensitive user information to unauthorized parties.

However, the practical security risk is considered low because exploiting this issue requires a highly specific sequence of events and is not easily targeted.

Detection Guidance

This vulnerability involves the event store retaining the original resource owner for a deleted user identifier, causing cross-tenant user leakage when a user is recreated with the same identifier in another organization.

Detection would require inspecting the event store data to identify cases where user identifiers have been reused across organizations but still retain the original resource owner association.

Since the issue is related to internal event store data and owner assignments, there are no specific network commands or standard system commands provided to detect this vulnerability directly.

The recommended approach is to audit user identifiers and their associated organizations in the event store database to find inconsistencies or cross-tenant provisioning.

Mitigation Strategies

The primary mitigation step is to upgrade ZITADEL to version 4.15.2 or later, where this vulnerability has been fixed.

The fix involves changes to the event store to explicitly enforce resource owner assignment, preventing the retention of original owners for deleted user identifiers.

Until the upgrade can be applied, carefully audit user provisioning workflows to avoid reusing user identifiers across different organizations.

Compliance Impact

The vulnerability in ZITADEL prior to version 4.15.2 allows cross-tenant user leakage via recycled identifiers, where a user recreated with the same identifier in another organization can be provisioned under the original organization and exposed to that organization's administrators.

This issue could potentially impact compliance with data protection regulations such as GDPR or HIPAA because it involves unauthorized access to user data by administrators of a different organization, violating principles of data segregation and access control.

However, the vulnerability is classified as having low practical security risk due to its high attack complexity and specific operational conditions required for exploitation.

The recommended mitigation is to upgrade to version 4.15.2 or later, where the issue is fixed by explicitly enforcing resource owner assignment in the eventstore.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55670. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart