Identity Management Platform Vulnerability in ZITADEL
CVE-2025-64717

7.4HIGH

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
13 November 2025

What is CVE-2025-64717?

A vulnerability exists in ZITADEL that allows unauthorized auto-linking of users from external identity providers to existing accounts, bypassing organizational security settings. This flaw enables an attacker to leverage a disabled identity provider to gain access to user accounts, potentially leading to account takeover if specific settings are not enforced properly. The issue affects ZITADEL versions prior to 2.71.19, 3.4.4, and 4.6.6, which have been updated to ensure adherence to organizations' login policies during the authentication process.

Affected Version(s)

zitadel >= 4.0.0-rc.1, < 4.6.6 < 4.0.0-rc.1, 4.6.6

zitadel >= 3.0.0-rc.1, < 3.4.4 < 3.0.0-rc.1, 3.4.4

zitadel >= 2.50.0, < 2.71.19 < 2.50.0, 2.71.19

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v2.71.19
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v3.4.4
x_refsource_MISC

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64717 : Identity Management Platform Vulnerability in ZITADEL