ZITADEL Admin API flaw enables IDOR exploit
Take action: If you are running ZITADEL platform, plan a quick patch. The IDORs are quite extensive, and anyone authenticated to the platform can try to toy around. And it's just a matter of time before a hacked credential can expose the platform to hackers. Don't delay.
Learn More
Security researchers have identified significant Insecure Direct Object Reference (IDOR) vulnerability in ZITADEL's Admin API, tracked as CVE-2025-27507 (CVSS score 9.1).
ZITADEL is an Identity and Access Management (IAM) solution that provides secure user authentication and authorization services.
The flaw allows authenticated users without specific IAM roles to access and modify sensitive system settings, potentially leading to account takeovers and unauthorized configuration changes.
The ZITADEL Admin API, designed for managing ZITADEL instances, contains 12 HTTP endpoints that lack proper authorization checks, making them accessible to authenticated users who do not possess ZITADEL manager privileges. The most critical affected endpoints access LDAP configuration:
- /idps/ldap
- /idps/ldap/{id}
Exploiting these endpoints with the flaw could allow unauthorized users to:
- Redirect LDAP authentication traffic to malicious servers, enabling credential interception
- Modify ZITADEL's instance LDAP settings to hijack login attempts
- Extract the LDAP server's password from API responses, potentially compromising all user accounts
Additional vulnerable endpoints that could allow unauthorized modification of instance settings include:
- /idps/templates/_search
- /idps/templates/{id}
- /policies/label/_activate
- /policies/label/logo
- /policies/label/logo_dark
- /policies/label/icon
- /policies/label/icon_dark
- /policies/label/font
- /text/message/passwordless_registration/{language}
- /text/login/{language}
The severity of impact varies depending on deployment configuration:
For LDAP-dependent organizations:
- Complete takeover of user accounts is possible by redirecting authentication requests
- Exposure of the LDAP server's credentials, compromising organizational directories
For non-LDAP users:
- While protected from the most severe LDAP-related risks, organizations remain vulnerable to unauthorized modifications of instance branding, localization, and security policies
- These changes could potentially enable social engineering campaigns or service disruptions
ZITADEL has released updates across multiple supported versions to address these vulnerabilities:
- 2.x versions are fixed on >= 2.71.0
- 2.70.x versions are fixed on >= 2.70.1
- 2.69.x versions are fixed on >= 2.69.4
- 2.68.x versions are fixed on >= 2.68.4
- 2.67.x versions are fixed on >= 2.67.8
- 2.66.x versions are fixed on >= 2.66.11
- 2.65.x versions are fixed on >= 2.65.6
- 2.64.x versions are fixed on >= 2.64.5
- 2.63.x versions are fixed on >= 2.63.8
All organizations are strongly advised to upgrade immediately. Additionally, security teams should audit logs for any unauthorized configuration changes, as exploit attempts may leave minimal forensic traces.
