CVE-2025-64431

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64431

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-64431.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-64431

Aliases

GHSA-cpf4-pmr4-w6cx

Published

2025-11-07T18:09:25Z

Modified

2025-11-11T19:52:48.990336Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering

Details

Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3.

Database specific

{
    "cwe_ids": [
        "CWE-639"
    ]
}

References

Affected packages

Git / github.com/zitadel/zitadel

Affected ranges

Type: GIT
Repo: https://github.com/zitadel/zitadel
Events: Introduced

8f0b7ebf028187e84881694bb931cbe33604e308

Fixed

bd354ded61d56a3b9bf21c3a80c7f4a9d8329a8a

Affected versions

v3.*

v3.3.1

v3.3.2

v4.*

v4.0.0

v4.0.0-rc.1

v4.0.0-rc.2

v4.0.0-rc.3

v4.0.0-rc.4

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.2.0

v4.2.1

v4.2.2

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.4.0

v4.5.0

v4.6.0

v4.6.1

v4.6.2