Identity Management Platform Flaw in ZITADEL Exposes User Data
CVE-2026-55670

2.3LOW

Key Information:

Vendor

Zitadel

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55670?

ZITADEL, an open-source identity management platform, had an issue in its event store validation which allowed the system to retain the original resource owner of a deleted user identifier. This flaw resulted in a security risk where a new user re-created with the same identifier could inadvertently be assigned to the original organization, exposing sensitive data to that organization's administrator. The vulnerability has since been addressed in version 4.15.2 of the platform.

Affected Version(s)

zitadel < 4.15.2

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.