CVE-2025-64431
📋 TL;DR
Zitadel versions 4.0.0-rc.1 through 4.6.2 contain an insecure direct object reference (IDOR) vulnerability in the V2Beta API. Authenticated users with administrator roles in one organization can access and modify organization-level data (name, domains, metadata) belonging to other organizations. This affects multi-tenant Zitadel deployments where users have organization administrator privileges.
💻 Affected Systems
- Zitadel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious administrator from one organization could rename, modify domains, or alter metadata of other organizations, potentially disrupting their identity management operations or causing service degradation.
Likely Case
Accidental or intentional data leakage where administrators can view organization details they shouldn't have access to, violating multi-tenancy isolation.
If Mitigated
Limited to organization metadata exposure without access to sensitive user data, applications, or authentication systems.
🎯 Exploit Status
Requires authenticated user with organization administrator role. Exploitation involves API calls to access/modify other organization IDs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.3
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-cpf4-pmr4-w6cx
Restart Required: Yes
Instructions:
1. Backup your Zitadel instance and database. 2. Update to version 4.6.3 using your deployment method (Docker, Kubernetes, binary). 3. Restart the Zitadel service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable V2Beta API
allTemporarily disable the vulnerable V2Beta API endpoint if not required for operations.
# Configure Zitadel to disable V2Beta API (method depends on deployment)
Restrict Administrator Access
allReview and reduce organization administrator roles to only essential personnel.
# Review ZITADEL_IAM_ADMIN_ROLES configuration and reduce scope
🧯 If You Can't Patch
- Implement API gateway or WAF rules to monitor and block suspicious organization ID access patterns in V2Beta API calls.
- Enable detailed audit logging for all V2Beta API organization-related operations and monitor for cross-organization access attempts.
🔍 How to Verify
Check if Vulnerable:
Check Zitadel version via admin interface or API. If version is between 4.0.0-rc.1 and 4.6.2 inclusive, the system is vulnerable.Check Version:
curl -s http://localhost:8080/admin/api/v1/version | grep versionVerify Fix Applied:
After updating to 4.6.3, test that organization administrators can only access their own organization data via V2Beta API.📡 Detection & Monitoring
Log Indicators:
- V2Beta API calls accessing organization IDs different from requester's organization
- Unauthorized organization modification attempts in audit logs
Network Indicators:
- HTTP requests to /v2beta/organizations/{id} endpoints with mismatched organization IDs
SIEM Query:
source="zitadel" AND (api_path="/v2beta/organizations/*" OR api_version="v2beta") AND org_id!=user_org_id