ZITADEL
Moderate fix4 remedies
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*
Moderate fix4 remedies
- >= 4.0.0-rc.1, < 4.0.0-rc.2
- >= 3.0.0, <= 3.3.1
- >= 2.53.0, <= 2.70.13
- >= 2.71.0, <= 2.71.12
ZITADEL Session Management API Vulnerability Allows Session Hijacking
Vulnerability
Patched
A vulnerability in ZITADEL's session management API, present in versions 2.53.0 prior to 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, allows authenticated users to update sessions by knowing the session ID, due to a lack of proper permission checks. This flaw can be exploited for session hijacking, enabling an attacker to impersonate another user and access sensitive resources. Versions before 2.53.0 are not affected, as they required the session token for updates.
Impact
Exploitation of this vulnerability allows for session hijacking and user impersonation, bypassing any authentication requirements such as multi-factor authentication. The attacker can access sensitive resources as the impersonated user.
Remediation
Users can upgrade to ZITADEL versions 4.0.0-rc.2, 3.3.2, 2.71.13, or 2.70.14. For version 4.x, ensure that users are set up correctly or require an additional role before upgrading.
Added: Jul 15, 2025, 5:32 PM
Updated: Jul 15, 2025, 5:32 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
1.3exploitability
5.0remediation
7.7relevance
0.2threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.