CVE-2026-33132
published 2026-03-20CVE-2026-33132: ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement…
PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.31%
22.6th percentile
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20260317120401-d90285929ca0 | 1.80.0-v2.20.0.20260317120401-d90285929ca0 |
| github.com | zitadel_zitadel | >= 3.0.0-rc.1 < 3.4.9 | 3.4.9 |
| github.com | zitadel_zitadel | >= 4.0.0-rc.1 < 4.12.3 | 4.12.3 |
| zitadel | zitadel | < 1.80.0-v2.20.0.20260317120401-d90285929ca0 | 1.80.0-v2.20.0.20260317120401-d90285929ca0 |
| zitadel | zitadel | < 3.4.9 | 3.4.9 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 4.0.0 < 4.12.3 | 4.12.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel
osv·2026-03-23
CVE-2026-33132 Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel
Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel
Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v3.0.0-rc.1 before v3.4.9, from v4.0.0-rc.1 before v4.12.3.
GHSA
Zitadel is missing enforcement of organization scopes
ghsa·2026-03-18
CVE-2026-33132 [MEDIUM] CWE-863 Zitadel is missing enforcement of organization scopes
Zitadel is missing enforcement of organization scopes
### Summary
A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.
### Impact
Zitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `urn:zitadel:iam:org:domain:primary:{domainname}`). If enforced, a user needs to be part of the required organization to sign in.
While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in wi
OSV
Zitadel is missing enforcement of organization scopes
osv·2026-03-18
CVE-2026-33132 [MEDIUM] Zitadel is missing enforcement of organization scopes
Zitadel is missing enforcement of organization scopes
### Summary
A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.
### Impact
Zitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `urn:zitadel:iam:org:domain:primary:{domainname}`). If enforced, a user needs to be part of the required organization to sign in.
While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in wi
Red Hat
github.com/zitadel: ZITADEL: Authentication bypass allows sign-in with other organization's users
vendor_redhat·2026-03-20·CVSS 5.3
CVE-2026-33132 [MEDIUM] CWE-306 github.com/zitadel: ZITADEL: Authentication bypass allows sign-in with other organization's users
github.com/zitadel: ZITADEL: Authentication bypass allows sign-in with other organization's users
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.
This allowed users to bypass the restriction and sign in with users
No detection rules found.
No public exploits indexed.
2026-03-20
Published