CVE-2025-67717 PUBLISHED

Zitadel Discloses the Total Number of Instance Users

Assigner: GitHub_M
Reserved: 10.12.2025 Published: 11.12.2025 Updated: 11.12.2025

ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	zitadel
Product	zitadel
Versions	Version < 1.80.0-v2.20.0.20251210 is affected Version >= 2.44.0, < 3.4.5 is affected Version >= 4.0.0-rc.1, < 4.7.2 is affected

References

Problem Types

CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE