CVE-2025-64717
Published: 13 November 2025
Description
ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if…
more
the corresponding IdP was not active or if the organization did not allow federated authentication. This vulnerability stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process. This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker's external identity to an existing internal user account. This may result in a full Account Takeover, bypassing the organization's mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack. Also note that only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process. Versions 4.6.6, 3.4.4, and 2.71.19 resolve the issue by correctly validating the organization's login policy before auto-linking an external user. No known workarounds are available aside from upgrading.
Mitigating Controls (NIST 800-53 r5)AI
Requires registration, approval, and policy enforcement for external identity providers, directly preventing auto-linking from disabled or unauthorized IdPs during federation.
Enforces approved authorizations and organizational access control policies, such as disabled IdPs or prohibited federation, in the authentication and auto-linking process.
Manages system accounts to establish conditions for account linking and modifications, mitigating unauthorized federation-based account takeovers.
Security SummaryAI
CVE-2025-64717 is a high-severity vulnerability (CVSS 3.1 score of 9.8, associated with CWE-287: Improper Authentication) affecting ZITADEL, an open-source identity management platform. The issue resides in the federation process, impacting versions starting from 2.50.0 up to but not including 2.71.19, 3.4.4, and 4.6.6. It arises from the platform's failure to enforce an organization's security settings during user auto-linking from external identity providers (IdPs). Specifically, even if an Organization Administrator disables an IdP or prohibits federated authentication, these configurations are not checked, allowing unauthorized linking of external identities to existing internal ZITADEL user accounts.
An unauthenticated attacker can exploit this by initiating a login flow using an instance-level IdP that has been disabled for the target organization. If matching criteria are met, the platform incorrectly validates the login and auto-links the attacker's external identity to an existing internal user account, resulting in full account takeover and bypass of organizational security controls. This does not affect accounts with multi-factor authentication (MFA) enabled, and it is limited to IdPs created at the instance level—those registered to other organizations are always denied during linking.
The ZITADEL security advisory (GHSA-j4g7-v4m4-77px) and release notes for versions 2.71.19, 3.4.4, and 4.6.6 detail the fix, which enforces validation of the organization's login policy prior to auto-linking external users. No workarounds exist beyond upgrading to these patched versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated exploitation of public-facing identity management login/federation endpoint (T1190) to achieve account takeover via improper authentication checks, directly facilitating credential access (T1212).