CVE-2026-56668

zitadel · zitadel

ZITADEL is affected by a missing authorization vulnerability that allows authenticated users to access resources without proper permission checks.

Executive summary

A missing authorization vulnerability in ZITADEL permits authenticated users to access restricted resources, posing a significant risk to identity security.

Vulnerability

This issue is identified as a Missing Authorization vulnerability (CWE-862). It occurs when the software fails to verify if a user has the necessary permissions to perform a specific action or access a specific resource, effectively bypassing intended security constraints.

Business impact

Missing authorization vulnerabilities can lead to unauthorized data disclosure and the manipulation of identity management settings. Given the CVSS score of 8.1, the ability for a standard user to perform unauthorized operations could result in severe reputational and operational damage. Protecting the integrity of the identity platform is paramount to preventing wider systemic compromise.

Remediation

Immediate Action: Upgrade the ZITADEL platform to version 4.15.3 or later to ensure proper authorization checks are enforced.

Proactive Monitoring: Audit access logs to identify any unauthorized attempts to access endpoints or perform actions that fall outside of standard user workflows.

Compensating Controls: Implement temporary access restrictions via a WAF or API gateway to block suspicious requests targeting sensitive management endpoints until the update is applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Authorization flaws within identity management systems are high-risk. Administrators must prioritize updating to ZITADEL version 4.15.3 to restore proper access control enforcement and protect against unauthorized resource exploitation.