ZITADEL SCIM API Authentication Bypass Vulnerability Allowing Unauthenticated Data Access

An authentication bypass vulnerability has been identified in ZITADEL's System for Cross-domain Identity Management (SCIM) API, affecting versions 2.68.0 prior to 2.71.19, 3.0.0 prior to 3.4.7, and 4.0.0 prior to 4.12.1. The vulnerability allows unauthenticated attackers to bypass authentication and permission checks by exploiting URL-encoded path values. This exploitation enables the retrieval of sensitive user information, including names, email addresses, phone numbers, addresses, external IDs, and roles. However, due to additional data manipulation checks, attackers cannot modify or delete user data.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive user information through the SCIM API, with the potential for privacy violations and misuse of personal data.

Remediation

Users can upgrade to ZITADEL versions 3.4.8 or 4.12.2 to address this vulnerability. For those unable to upgrade, access to the SCIM API can be blocked using a reverse proxy or Web Application Firewall (WAF) rule.