CVE-2026-55670
Deferred
Deferred - Pending Action
Privilege Escalation in ZITADEL Identity Platform
Vulnerability report for CVE-2026-55670, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-10
Last updated on: 2026-07-10
Assigner: GitHub, Inc.
Description
Description
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zitadel | zitadel | to 4.15.2 (exc) |
| zitadel | zitadel | From 3.0.0 (inc) to 3.4.11 (inc) |
| zitadel | zitadel | to 4.15.1 (exc) |
| zitalel | zitalel | to 4.15.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |