CVE-2026-58165

HIGH 8.8

OpenZiti - Privilege Escalation to Admin via Unauthorized Enrollment Creation

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.

CWE	CWE-862
Vendor	openziti
Product	ziti
Published	Jun 30, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for openziti ziti

Be the first to know when new high vulnerabilities affecting openziti ziti are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

openziti / ziti

0 ≤ 2.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openziti/ziti/issues/4010 github.com: https://github.com/openziti/ziti/pull/4013 github.com: https://github.com/openziti/ziti/commit/3027fdffd3e57884487b7c46e5e669cfbc8becdf vulncheck.com: https://www.vulncheck.com/advisories/openziti-privilege-escalation-to-admin-via-unauthorized-enrollment-creation

Credits

George Chen