CVE-2025-64431: IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering

November 5, 2025 (updated November 7, 2025)

ZITADEL’s Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations.

References

github.com/advisories/GHSA-cpf4-pmr4-w6cx
github.com/zitadel/zitadel
github.com/zitadel/zitadel/commit/8dcfff97ed52a8b9fc77ecb1f972744f42cff3ed
github.com/zitadel/zitadel/releases/tag/v4.6.3
github.com/zitadel/zitadel/security/advisories/GHSA-cpf4-pmr4-w6cx
nvd.nist.gov/vuln/detail/CVE-2025-64431

Code Behaviors & Features

Detect and mitigate CVE-2025-64431 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →