CVE-2024-46999
📋 TL;DR
This vulnerability in Zitadel identity management platform allows deactivated user grants to remain active in tokens, potentially granting unauthorized access to applications and resources. The management and auth APIs incorrectly report these grants as active. All Zitadel users running affected versions are impacted.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent unauthorized access to all applications and resources tied to deactivated user grants, potentially leading to data breaches, privilege escalation, and complete system compromise.
Likely Case
Former employees or users with deactivated grants retain access to applications they should no longer have, leading to unauthorized data access and policy violations.
If Mitigated
With proper monitoring and access review processes, unauthorized access attempts can be detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires a user account with previously granted permissions that have been deactivated. The vulnerability is inherent to the token generation logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, or 2.54.10
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5
Restart Required: Yes
Instructions:
1. Backup your Zitadel configuration and database. 2. Stop Zitadel service. 3. Update to one of the patched versions using your package manager or deployment method. 4. Restart Zitadel service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Manual Grant Removal
allExplicitly remove user grants instead of deactivating them to ensure access is properly revoked
Use Zitadel management API or UI to completely delete user grants rather than deactivating them
🧯 If You Can't Patch
- Implement strict monitoring of user grant activity and access patterns
- Regularly audit and manually remove all deactivated user grants from the system
🔍 How to Verify
Check if Vulnerable:
Check if your Zitadel version is older than the patched versions listed in the advisoryCheck Version:
zitadel version or check deployment manifest/configurationVerify Fix Applied:
After patching, test that deactivated user grants no longer appear in tokens and API responses correctly show grant status📡 Detection & Monitoring
Log Indicators:
- Unexpected successful authentication from deactivated users
- API calls from users with supposedly revoked permissions
Network Indicators:
- Token validation requests for users with deactivated grants
- Unusual access patterns from previously deactivated accounts
SIEM Query:
source="zitadel" AND (event="token_issued" OR event="api_call") AND user_status="deactivated"