anonhaven
Ad

CVE-2026-32131

HIGH CVSS 3.1: 7.7 EPSS 0.04%
Updated Mar 16, 2026
Zitadel
Parameter Value
CVSS 7.7 (HIGH)
Affected Versions 4.0.0 — 4.12.2
Fixed In 3.4.8
Type CWE-639 (Authorization Bypass), CWE-862 (Missing Authorization)
Vendor Zitadel
Public PoC No

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-639 Authorization Bypass
CWE-862 Missing Authorization

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Zitadel Zitadel
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
 3.4.8
Zitadel Zitadel
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
 4.0.0 4.12.2

References 3

https://github.com/zitadel/zitadel/releases/tag/v3.4.8
security-advisories@github.com
https://github.com/zitadel/zitadel/releases/tag/v4.12.2
security-advisories@github.com
https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33132

Zitadel

5.3

CVE-2026-32132

Zitadel

7.4

CVE-2026-32130

Zitadel

7.5

CVE-2026-29193

Zitadel

8.2

CVE-2026-29192

Zitadel

7.7