CVE-2025-64431 HIGH

CVE-2025-64431: IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering

Vendor Zitadel
Product zitadel
Weakness CWE-639 · IDOR
Published November 7, 2025
Last update November 7, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3.

Key dates

02Disclosure timeline

November 7, 2025 CVE published
November 7, 2025 Record updated