Login Sign Up

CVE-2025-46815

8.0 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in ZITADEL's Session API allows attackers to repeatedly use idp intents to steal authentication tokens. Attackers with access to the application's URI can authenticate as legitimate users. All ZITADEL deployments before patched versions are affected.

💻 Affected Systems

Products:
  • ZITADEL
Versions: All versions before 3.0.0, 2.71.9, and 2.70.10
Operating Systems: All platforms running ZITADEL
Default Config Vulnerable: ⚠️ Yes
Notes: Systems using ZITADEL's Session API with idp intents are vulnerable regardless of configuration.

📦 What is this software?

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover allowing attackers to authenticate as any user and access their resources and privileges.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts and potential data exposure.

🟢

If Mitigated

With MFA enabled, attackers cannot complete authentication, preventing full account compromise but still exposing session tokens.

🌐 Internet-Facing: HIGH - The vulnerability involves URI access which is typically internet-facing in identity management systems.
🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if attackers gain network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires access to the application's URI but no authentication to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0, 2.71.9, or 2.70.10

Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq

Restart Required: Yes

Instructions:

1. Backup your ZITADEL configuration and data. 2. Stop ZITADEL service. 3. Upgrade to version 3.0.0, 2.71.9, or 2.70.10 using your package manager or manual installation. 4. Restart ZITADEL service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Enable MFA

all

Multi-factor authentication prevents complete authentication even if tokens are stolen

🧯 If You Can't Patch

  • Implement strict network segmentation to limit access to ZITADEL URIs
  • Enable comprehensive logging and monitoring for suspicious session activities

🔍 How to Verify

Check if Vulnerable:

Check ZITADEL version - if below 3.0.0, 2.71.9, or 2.70.10, the system is vulnerable.

Check Version:

zitadel version (or check ZITADEL admin interface)

Verify Fix Applied:

Verify ZITADEL version is 3.0.0, 2.71.9, or 2.70.10 or higher after upgrade.

📡 Detection & Monitoring

Log Indicators:

  • Multiple idp intent requests from same source
  • Unusual session creation patterns
  • Authentication attempts with reused tokens

Network Indicators:

  • Repeated requests to idp intent endpoints
  • Abnormal traffic to session API URIs

SIEM Query:

source="zitadel" AND (event="idp_intent" OR event="session_create") | stats count by src_ip, user | where count > threshold

📊 Metadata

CVE ID: CVE-2025-46815
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-294
EPSS Score: 0.06% exploit probability (19.9th percentile)
Published: May 6, 2025
Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46815, you might also want to check these:

CVE-2025-49752 10.0

CVE-2025-49752 is an elevation of privilege vulnerability in Azure Bastion that allows authenticated...

Same vulnerability type (CWE-294)
CVE-2022-29334 9.8

CVE-2022-29334 is an authentication bypass vulnerability in H v1.0 that allows attackers to gain una...

Same vulnerability type (CWE-294)
CVE-2018-17932 9.8

CVE-2018-17932 affects JUUKO K-800 industrial control devices, allowing attackers to replay commands...

Same vulnerability type (CWE-294)