CVE-2026-32131
Published: 11 March 2026
Summary
CVE-2026-32131 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the failure to restrict low-privilege API access to only the authenticated user's tenant resources.
AC-6 enforces least privilege, limiting low-privilege tokens like project.read to their intended organizational scope and mitigating cross-tenant overreach.
SI-10 mandates validation of information inputs such as project_id or app_id against the user's tenant, preventing unauthorized retrieval of other organizations' data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
AuthZ bypass in externally reachable Management API directly matches T1190 exploitation; cross-tenant data access constitutes scope-changing privilege escalation (T1068) and enables enumeration of other organizations' IAM resources (T1526).
NVD Description
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information…
more
belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
Deeper analysisAI
CVE-2026-32131 is an authorization bypass vulnerability (CWE-639, CWE-862) in the Management API of ZITADEL, an open-source identity management platform. Versions prior to 3.4.8 and 4.12.2 are affected, where authenticated users with low-privilege tokens—such as those granting project.read, project.grant.read, or project.app.read permissions—could access management-plane information from other organizations. The issue has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with changed scope.
An attacker with a valid low-privilege token in one organization can exploit this remotely over the network with low complexity by simply specifying a different tenant's project_id, grant_id, or app_id in API requests. This allows unauthorized retrieval of sensitive management-plane data belonging to other tenants, potentially exposing project details, grants, or application configurations across organizational boundaries without requiring user interaction.
Zitadel addressed the vulnerability in releases 3.4.8 and 4.12.2, as detailed in the official release notes and security advisory (GHSA-wr6r-59xg-4pj2). Security practitioners should upgrade affected instances to these patched versions to mitigate the issue, with further technical details available in the referenced GitHub repositories.
Details
- CWE(s)