CVE-2025-64431 Overview
CVE-2025-64431 is an Insecure Direct Object Reference (IDOR) vulnerability in Zitadel, an open source identity management platform. The flaw exists in the V2Beta API and affects versions 4.0.0-rc.1 through 4.6.2. Authenticated users holding specific administrator roles in one organization can read and modify organization-level data belonging to other tenants within the same Zitadel instance. Exposed data is limited to organization metadata such as the organization name, domains, and custom metadata fields. Users, projects, and applications are not impacted. The maintainers fixed the issue in version 4.6.3.
Critical Impact
Authenticated administrators in one organization can access and modify the name, domains, and metadata of unrelated organizations sharing the same Zitadel deployment, breaking multi-tenant isolation.
Affected Products
- Zitadel versions 4.0.0-rc.1 through 4.6.2
- Zitadel V2Beta organization API endpoints
- Self-hosted and cloud Zitadel deployments running affected versions
Discovery Timeline
- 2025-11-07 - CVE-2025-64431 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64431
Vulnerability Analysis
The vulnerability is classified as Insecure Direct Object Reference under [CWE-639]. Zitadel's V2Beta organization service accepts an OrgId parameter from authenticated callers but fails to validate that the caller's administrator role applies to the target organization. As a result, an attacker who holds an administrator role in any organization can supply another organization's identifier and operate on its data. The impact is confined to organization-level objects, including the organization name, associated domains, and metadata. Confidentiality and integrity of organization records are both affected because the unchecked permission allowed read and write operations through the same code paths.
Root Cause
The V2Beta organization service passed the supplied organization identifier directly to command handlers without scoping the permission check to the target organization. Functions such as AddOrgDomain and RemoveOrg were invoked without the per-organization permission context that the fix later introduces as an additional argument. This pattern allowed a caller authorized for organization A to drive mutations against organization B.
Attack Vector
Exploitation requires a valid authenticated session and an administrator role within at least one organization in the Zitadel instance. The attacker calls a V2Beta endpoint and substitutes the OrgId field with the identifier of a target organization. Because the permission evaluation does not bind to that target, the request is processed. The patch in commit 8dcfff9 adds an explicit permission-check argument to the underlying command functions.
// Patch: internal/api/grpc/admin/import.go
// fix(api): correct permission check in organization v2beta service
- _, err := s.command.AddOrgDomain(ctx, org.GetOrgId(), domainR.DomainName, []string{})
+ _, err := s.command.AddOrgDomain(ctx, org.GetOrgId(), domainR.DomainName, []string{}, nil)
// Patch: internal/api/grpc/admin/org.go
func (s *Server) RemoveOrg(ctx context.Context, req *admin_pb.RemoveOrgRequest) (*admin_pb.RemoveOrgResponse, error) {
- details, err := s.command.RemoveOrg(ctx, req.OrgId)
+ details, err := s.command.RemoveOrg(ctx, req.OrgId, nil, true)
Source: GitHub Commit 8dcfff9. The new trailing arguments introduce a permission check callback and an explicit authorization flag that bind the operation to the target organization.
Detection Methods for CVE-2025-64431
Indicators of Compromise
- V2Beta API requests where the authenticated principal's home organization differs from the OrgId parameter in the request body.
- Unexpected changes to organization names, verified domains, or metadata keys without corresponding administrative tickets.
- New or removed organization domains that do not align with the configured primary domain of the requesting administrator.
- Audit log entries for AddOrgDomain, RemoveOrg, or organization metadata mutations issued by users outside the affected tenant.
Detection Strategies
- Parse Zitadel audit events and flag any V2Beta organization mutation where the actor's orgId claim does not match the resource orgId.
- Correlate API access logs against the org membership table to find cross-organization operations.
- Alert on bulk enumeration of organization identifiers from a single authenticated session.
Monitoring Recommendations
- Forward Zitadel application and audit logs to a central SIEM for retention and correlation.
- Track the running Zitadel version and alert when instances remain below 4.6.3.
- Monitor egress to /zitadel.org.v2beta.OrganizationService/* paths for anomalous request volume.
How to Mitigate CVE-2025-64431
Immediate Actions Required
- Upgrade all Zitadel instances to version 4.6.3 or later, which contains the corrected permission check.
- Review organization audit logs since the deployment of any version in the 4.0.0-rc.1 to 4.6.2 range for unauthorized mutations.
- Inventory existing administrator role assignments and revoke roles that are no longer required.
- Rotate any organization domains or metadata that may have been modified by an unauthorized party.
Patch Information
The fix is included in Zitadel 4.6.3. The remediation adds explicit permission-check parameters to organization command functions in internal/api/grpc/admin/import.go and internal/api/grpc/admin/org.go. See the GitHub Security Advisory GHSA-cpf4-pmr4-w6cx and the Zitadel v4.6.3 release notes for full details.
Workarounds
- Restrict network access to the V2Beta API surface using an upstream reverse proxy until the upgrade is applied.
- Minimize the number of accounts granted organization administrator roles to reduce the exploitable population.
- Disable or block the V2Beta organization endpoints at the API gateway if they are not in active use.
# Upgrade Zitadel to the patched release
helm repo update
helm upgrade zitadel zitadel/zitadel --version 4.6.3
# Verify the running version
kubectl exec -n zitadel deploy/zitadel -- zitadel --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
