CVE-2025-27507

Summary

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.

Affected Software

VendorProductVersion RangeStatus
zitadelzitadel>= 2.63.0-rc.1, < 2.63.8affected
zitadelzitadel>= 2.64.0-rc.1, < 2.64.5affected
zitadelzitadel>= 2.66.0-rc.1, < 2.66.11affected
zitadelzitadel>= 2.67.0-rc.1, < 2.67.8affected
zitadelzitadel>= 2.68.0-rc.1, < 2.68.4affected
zitadelzitadel>= 2.69.0-rc.1, < 2.69.4affected
zitadelzitadel>= 2.70.0-rc.1, < 2.70.1affected
zitadelzitadel>= 2.65.0-rc.1, < 2.65.6affected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References