Zitadel Insecure Direct Object Reference Vulnerability in Admin API Affects LDAP Configurations

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in Zitadel's Admin API, allowing authenticated users without specific IAM roles to unauthorizedly modify sensitive settings. This vulnerability primarily impacts users who utilize LDAP for authentication, as it enables manipulation of LDAP configurations, potentially redirecting login attempts to a malicious server and exposing the original LDAP server's password. Additionally, several other endpoints are affected, which could lead to unauthorized modifications of instance settings such as languages, labels, and templates.

Impact

Exploitation of this vulnerability could result in unauthorized modifications of sensitive LDAP settings, with potential consequences including redirection of LDAP login attempts to a malicious server, exposure of the LDAP server's password, and unauthorized changes to various instance settings for all organizations.

Remediation

Users are advised to upgrade to Zitadel versions 2.71.0, 2.70.1, 2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, or 2.63.8.