CVE-2026-55670
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
| CWE | CWE-284 CWE-639 |
| Vendor | zitadel |
| Product | zitadel |
| Published | Jul 10, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for zitadel zitadel
Be the first to know when new unknown vulnerabilities affecting zitadel zitadel are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
zitadel / zitadel
< 4.15.2
References
github.com: https://github.com/zitadel/zitadel/security/advisories/GHSA-6x8v-2fq5-2229 github.com: https://github.com/zitadel/zitadel/pull/12261 github.com: https://github.com/zitadel/zitadel/commit/a939b847d90c3370bd162064e57764b89c01be46 github.com: https://github.com/zitadel/zitadel/releases/tag/v4.15.2