High severityOSV Advisory· Published Nov 7, 2025· Updated Apr 15, 2026
CVE-2025-64431
CVE-2025-64431
Description
Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zitadel/zitadelGo | >= 4.0.0-rc.1, < 4.6.3 | 4.6.3 |
github.com/zitadel/zitadelGo | >= 1.80.0-v2.20.0.20250414095945-f365cee73242, < 1.80.0-v2.20.0.20251105083648-8dcfff97ed52 | 1.80.0-v2.20.0.20251105083648-8dcfff97ed52 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-cpf4-pmr4-w6cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64431ghsaADVISORY
- github.com/zitadel/zitadel/commit/8dcfff97ed52a8b9fc77ecb1f972744f42cff3ednvdWEB
- github.com/zitadel/zitadel/releases/tag/v4.6.3nvdWEB
- github.com/zitadel/zitadel/security/advisories/GHSA-cpf4-pmr4-w6cxnvdWEB
News mentions
0No linked articles in our index yet.