CVE-2026-33132
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
EPSS 0.08% · 23.1th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | zitadel/zitadel | 4.0.0-rc.1, 3.0.0-rc.1, 0 |
| zitadel | zitadel | >= 4.0.0-rc.1, < 4.12.3, >= 3.0.0-rc.1, < 3.4.9, 0 |
Timeline
- Mar 18, 2026 CVE Published
- Mar 19, 2026 Security Advisory
- Mar 20, 2026 CVE Updated
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 EPSS Score
- May 18, 2026 EPSS Score
References
- https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m url
- https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8 url
- https://github.com/zitadel/zitadel/releases/tag/v3.4.9 url
- https://github.com/zitadel/zitadel/releases/tag/v4.12.3 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-33132 advisory
- https://github.com/zitadel/zitadel package