Back to overview

CVE-2026-55670

LOW
2.3
CVSS 4.0
Description
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.

Metadata

CVE ID
CVE-2026-55670
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 00:05 UTC
Published
2026-07-10 17:15 UTC
Last updated
2026-07-10 17:15 UTC
Primary CWE
CWE-284
CWE-284: Improper Access Control
Vendor / Product
zitadel / zitadel
Sources
cve.org  ·  NVD

Severity & Metrics

2.3 LOW CVSS 4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
zitadel zitadel < 4.15.2
Weakness (CWE)
CWESourceDescription
CWE-284 cna CWE-284: Improper Access Control
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
2.3 LOW 4.0 cna CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
References (4)
Back to overview