GHSA-G2PF-WW5M-2R9M

Vulnerability from github – Published: 2026-03-18 17:25 – Updated: 2026-03-20 21:28
VLAI?
Summary
Zitadel is missing enforcement of organization scopes
Details

Summary

A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.

Impact

Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in.

While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations.

Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass.

Affected Versions

Systems running one of the following versions are affected: - 4.x: 4.0.0 through 4.12.2 (including RC versions) - 3.x: 3.0.0 through 3.4.8 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints (CreateCallback and Authorize or Deny Device Authorization endpoints).

4.x: Upgrade to >=4.12.3 3.x: Update to >=3.4.9

Workarounds

The recommended solution is to upgrade to a patched version.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to @motoki317 for reporting this vulnerability.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.12.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-rc.1"
            },
            {
              "fixed": "4.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc.1"
            },
            {
              "fixed": "3.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.80.0-v2.20.0.20260317120401-d90285929ca0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T17:25:41Z",
    "nvd_published_at": "2026-03-20T11:18:02Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA vulnerability in Zitadel\u0027s OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.\n\n### Impact\n\nZitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `urn:zitadel:iam:org:domain:primary:{domainname}`). If enforced, a user needs to be part of the required organization to sign in.\n\nWhile this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations.\n\nNote that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n- **4.x**: `4.0.0` through `4.12.2` (including RC versions)\n- **3.x**: `3.0.0` through `3.4.8` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints ([CreateCallback](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.CreateCallback) and [Authorize or Deny Device Authorization](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.AuthorizeOrDenyDeviceAuthorization) endpoints).\n\n4.x: Upgrade to \u003e=[4.12.3](https://github.com/zitadel/zitadel/releases/tag/v4.12.3)\n3.x: Update to \u003e=[3.4.9](https://github.com/zitadel/zitadel/releases/tag/v3.4.9)\n\n### Workarounds\n\nThe recommended solution is to upgrade to a patched version. \n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to @motoki317 for reporting this vulnerability.",
  "id": "GHSA-g2pf-ww5m-2r9m",
  "modified": "2026-03-20T21:28:15Z",
  "published": "2026-03-18T17:25:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zitadel is missing enforcement of organization scopes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.