Authentication Flaw in ZITADEL Management API Exposes Data Across Tenants
CVE-2026-32131

7.7HIGH

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
11 March 2026

What is CVE-2026-32131?

A vulnerability in ZITADEL's Management API allowed authenticated users with low-privilege tokens to access management information from other tenant organizations. This could occur by manipulating the project_id, grant_id, or app_id parameters in API requests, resulting in potential data exposure. The issue has been resolved in versions 3.4.8 and 4.12.2, emphasizing the importance of maintaining up-to-date software versions to mitigate such risks.

Affected Version(s)

zitadel >= 4.0.0, < 4.12.2 < 4.0.0, 4.12.2

zitadel < 3.4.8 < 3.4.8

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v3.4.8
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v4.12.2
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.