GHSA-cpf4-pmr4-w6cx
IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/zitadel/zitadel🐹github.com/zitadel/zitadelReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
ZITADEL's Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations.
Impact
ZITADEL's Organization V2Beta API, intended for managing ZITADEL organizations, contains multiple endpoints that fail to properly authorize authenticated users. An attacker with an administrator role for a specific organization could exploit this to bypass access controls and perform unauthorized actions on other organizations within the same ZITADEL instance.
This could allow an attacker to:
- Read organization data, including the name, domains and metadata.
- Manipulate (modify) the corresponding organization data.
- Delete the corresponding data, up to and including the entire organization.
Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected.
Affected Versions
Systems running one of the following versions are affected:
- v4.x:
4.0.0-rc.1through4.6.2
Patches
The vulnerability has been addressed in the latest release. The patch resolves the issue by correctly validating the caller's permission against the target organization.
- v4.x: Upgrade to version 4.6.3 or later.
Workarounds
Upgrading to a patched version is the recommended solution.
If an immediate upgrade is not possible, mitigation can be achieved by disabling the affected Organization V2Beta API endpoints (e.g., /v2beta/organizations/...) at a reverse proxy or Web Application Firewall (WAF) level.
Questions
If you have any questions or comments about this advisory, please email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/zitadel/zitadel | ≥ 4.0.0-rc.1&&< 4.6.3 | 4.6.3 |
| 🐹Go | github.com/zitadel/zitadel | ≥ 1.80.0-v2.20.0.20250414095945-f365cee73242&&< 1.80.0-v2.20.0.20251105083648-8dcfff97ed52 | 1.80.0-v2.20.0.20251105083648-8dcfff97ed52 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/zitadel/zitadel. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/zitadel/zitadel to 4.6.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-cpf4-pmr4-w6cx is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-cpf4-pmr4-w6cx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-cpf4-pmr4-w6cx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-cpf4-pmr4-w6cx in your dependencies?
O3 detects GHSA-cpf4-pmr4-w6cx across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.