ZITADEL Cross-Tenant Information Disclosure Vulnerability in Management API

A cross-tenant information disclosure vulnerability has been identified in ZITADEL's Management API, affecting versions 4.0.0 prior to 4.12.2, 3.0.0 prior to 3.4.8, and 2.0.0 prior to 2.71.19. This vulnerability allows authenticated users with low-privilege tokens to access management-plane information from other organizations by manipulating project, grant, or app identifiers. The issue arises from insufficient validation of resource ownership, enabling unauthorized data access across tenants.

Impact

Exploitation of this vulnerability could lead to unauthorized access to another organization's management-plane information, including sensitive OIDC configuration data such as client IDs and redirect URIs.

Remediation

Users can upgrade to ZITADEL versions 4.12.2 or 3.4.8 to address this vulnerability. For version 2.x, updating to 3.4.8 is recommended. If an upgrade is not feasible and the Management V1 API is no longer in use, access can be blocked through a reverse proxy or WAF rule.