Zitadel IDOR Vulnerability in Organization V2Beta API Allows Cross-Tenant Data Tampering

A secure Direct Object Reference (IDOR) vulnerability has been identified in Zitadel's open-source identity management platform, specifically within the Organization V2Beta API. This vulnerability affects Zitadel versions 4.0.0-rc.1 through 4.6.2. It allows authenticated users with certain administrator roles to access and modify organization-level data of other organizations within the same Zitadel instance. The exposed data includes organization names, domains, and metadata, while other related data such as users, projects, and applications remain unaffected. The vulnerability arises from improper authorization checks, enabling administrators to bypass access controls and manipulate data across organizations.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of organization data, including the potential to delete entire organizations.

Reproduction

To reproduce this vulnerability, an authenticated user with an administrator role in one organization can send requests to the Organization V2Beta API endpoints that manage organization data. The API will incorrectly authorize these requests, allowing access to data and modification capabilities for other organizations.

Remediation

Users can upgrade to Zitadel version 4.6.3 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, the affected Organization V2Beta API endpoints can be disabled at the reverse proxy or Web Application Firewall (WAF) level.