{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.545Z", "datePublished": "2026-03-11T21:38:51.942Z", "dateUpdated": "2026-03-12T16:18:01.726Z"}, "containers": {"cna": {"title": "ZITADEL Cross-Tenant Information Disclosure in Management API", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2"}, {"name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"}, {"name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 4.0.0, < 4.12.2", "status": "affected"}, {"version": "< 3.4.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:40:24.067Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant\u2019s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2."}], "source": {"advisory": "GHSA-wr6r-59xg-4pj2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T15:44:01.072159Z", "id": "CVE-2026-32131", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:18:01.726Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T15:44:01.072159Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:44:07.731Z"}}], "cna": {"title": "ZITADEL Cross-Tenant Information Disclosure in Management API", "source": {"advisory": "GHSA-wr6r-59xg-4pj2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.12.2"}, {"status": "affected", "version": "< 3.4.8"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8", "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2", "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant\u2019s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:40:24.067Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32131", "state": "PUBLISHED", "dateUpdated": "2026-03-12T16:18:01.726Z", "dateReserved": "2026-03-10T22:19:36.545Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T21:38:51.942Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D10CA4D8-E0F2-4E5B-96D6-8A07147E3BCD", "versionEndExcluding": "3.4.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "22086237-3579-411C-806B-D740008579B0", "versionEndExcluding": "4.12.2", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant\u2019s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Antes de las versiones 3.4.8 y 4.12.2, se ha reportado una vulnerabilidad en la API de Gesti\u00f3n de Zitadel, que permit\u00eda a usuarios autenticados con un token v\u00e1lido de bajo privilegio (por ejemplo, project.read, project.grant.read o project.app.read) recuperar informaci\u00f3n del plano de gesti\u00f3n perteneciente a otras organizaciones especificando el project_id, grant_id o app_id de un inquilino diferente. Esta vulnerabilidad est\u00e1 corregida en las versiones 3.4.8 y 4.12.2."}], "id": "CVE-2026-32131", "lastModified": "2026-03-16T16:52:22.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T22:16:32.957", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.12.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zitadel", "source": "cna", "vendor": "zitadel"}, "product": "zitadel", "vendor": "zitadel"}], "analysis": {"en": {"generated_at": "2026-03-17T16:19:33.815362+00:00", "value": {"mitigation_remediation": ["Apply the latest Zitadel release (v3.4.8 or newer, or v4.12.2 or newer) to address the vulnerability."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected vendors and products: Zitadel; platform: Zitadel identity management. Version information is inferred from the advisory text: all releases prior to 3.4.8 in the 3.x branch and all releases prior to 4.12.2 in the 4.x branch are vulnerable.", "description_and_impact": "This vulnerability in Zitadel's Management API allows an authenticated user with a low\u2011privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management\u2011plane data belonging to other organizations by specifying a different tenant\u2019s project_id, grant_id, or app_id. Because the API does not enforce tenancy boundaries, the attacker can read configuration and sensitive information from another tenant, leading to confidentiality loss. The weakness corresponds to CWE\u2011639 (Authorization Bypass Through Privilege Escalation) and CWE\u2011862 (Missing Authorization).", "risk_and_exploitability": "Risk and exploitability: The CVSS score is 7.7, indicating a high severity. EPSS is under 1%, showing a low probability of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires only an authenticated low\u2011privilege token, making it trivially achievable by any legitimate user or by an attacker who has hijacked such a token. Immediate patching is strongly recommended to eliminate the data leakage risk."}}}}, "created": "2026-03-12T09:55:43.505684+00:00", "updated": "2026-03-20T15:36:52.004687+00:00", "vendors": ["zitadel", "zitadel$PRODUCT$zitadel"]}