ZITADEL Information Disclosure Vulnerability in User Count

An information disclosure vulnerability has been identified in ZITADEL, an open-source identity infrastructure tool. This vulnerability is present in versions 2.44.0 through 3.4.4, as well as 4.0.0-rc.1 through 4.7.1. The issue arises because the User Service discloses the total number of users in an instance to authenticated users, regardless of their permissions. While this does not reveal individual user data or personally identifiable information, the exposure of the total user count through the 'totalResult' field could be sensitive in certain contexts. The vulnerability has been addressed in versions 3.4.5 and 4.7.2.

Impact

The vulnerability allows any authenticated user to see the total number of users in the instance, which could be sensitive information in some situations.

Reproduction

The vulnerability can be reproduced by sending a request to the User Service's 'ListUsers' endpoint without the 'permissionCheckV2' flag enabled. This will return the total user count for the instance, regardless of the user's permissions.

Remediation

Users can upgrade to ZITADEL versions 3.4.5 or 4.7.2, both of which include the necessary fix. If an upgrade is not possible, the 'permissionCheckV2' feature can be enabled as a workaround.