cbcvebase.
CVE-2026-55670
published 2026-06-18

CVE-2026-55670: ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers ### Summary A flaw in the user lifecycle enforcement allowed deleted users to retain their original…

low
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers

### Summary

A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original organization if the previous ID would be used to recreate it.

### Impact

When a user is created, the system maps the generated or provided ID to its target organization (`Org A`). When that user is subsequently deleted, a deletion event is appended to the stream, but the historical mapping of the resource owner within the event store's validation layer is not cleared.

If a new user is later provisioned in a different organization (`Org B`) using that exact same ID, the event store validation logic reads the stream's history, matches it to the original organization, and routes the new user's events to `Org A` instead of `Org B`.

This issue represents a localized multi-tenancy isolation anomaly rather than an easily exploitable attack vector. Because the new user instance is incorrectly routed and provisioned inside `Org A` instead of `Org B`, an administrator from `Org A` inadvertently gains full access to this new user record.

However, there is no technical mechanism for a malicious actor to force, automate, or target this behavior against a specific user or tenant. Because the scenario relies entirely on an accidental sequence of operational events and requires the recycling of a highly specific ID space, the practical security risk is exceptionally low.

### Affected Versions

Systems running one of the following versions are affected:

* **4.x:** `4.0.0` through `4.15.1` (including RC versions)
* **3.x:** `3.0.0` through `3.4.11` (including RC versions)

### Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided

Affected

1 ranges
VendorProductVersion rangeFixed in
github.comzitadel_zitadel>= 0 < 1.80.0-v2.20.0.20260615092437-6082e59d47c11.80.0-v2.20.0.20260615092437-6082e59d47c1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.