CVE-2026-55670 PUBLISHED

ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers

Assigner: GitHub_M
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Product Status

Vendor zitadel
Product zitadel
Versions
  • Version < 4.15.2 is affected

References

Problem Types

  • CWE-284: Improper Access Control CWE
  • CWE-639: Authorization Bypass Through User-Controlled Key CWE