ZITADEL Organization Scope Bypass Vulnerability in Authentication

A vulnerability exists in ZITADEL versions prior to 3.4.9 and 4.0.0 through 4.12.2, allowing users to bypass organization enforcement during authentication. ZITADEL's OAuth2/OIDC interface can enforce an organization context using specific scopes. If enforced, users must be part of the required organization to sign in. This enforcement was lacking in device authorization requests and all login V2 and OIDC API V2 endpoints, enabling users to sign in with accounts from other organizations. The issue has been patched in ZITADEL versions 3.4.9 and 4.12.3.

Impact

The vulnerability allowed users to bypass organization-specific authentication requirements, potentially leading to unauthorized access to resources or functionalities tied to a different organization.

Reproduction

To reproduce this vulnerability, initiate a device authorization request or use an OIDC API V2 endpoint without the necessary organization scope. This can be done by omitting the organization-related scopes or by using invalid organization identifiers. Once the request is processed, the organization enforcement will be bypassed, allowing access to accounts from other organizations.

Remediation

Users can upgrade to ZITADEL versions 3.4.9 or 4.12.3, both of which include the necessary patches to enforce organization scopes correctly during authentication.