{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33132", "tracking": { "current_release_date": "2026-03-25T18:16:27.327318Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33132", "initial_release_date": "2026-03-18T17:42:52.260546Z", "revision_history": [ { "date": "2026-03-18T17:42:52.260546Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-03-18T17:42:57.747970Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-19T11:40:04.870142Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-03-20T18:29:19.235196Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (3).| References created (4).| CWES updated (1)." }, { "date": "2026-03-20T18:29:23.661319Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:29:36.247689Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-20T18:29:38.937052Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-20T20:39:23.119605Z", "number": "8", "summary": "Unknown change." }, { "date": "2026-03-20T21:07:07.204406Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-20T21:41:32.474031Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-20T21:58:58.710152Z", "number": "11", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T21:59:01.422481Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-21T00:28:28.360197Z", "number": "13", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| Product Identifiers created (1).| References created (6).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-21T00:28:31.598964Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-21T13:47:16.648605Z", "number": "15", "summary": "References removed (1)." }, { "date": "2026-03-22T00:51:42.943604Z", "number": "16", "summary": "References created (1)." }, { "date": "2026-03-22T11:24:46.422429Z", "number": "17", "summary": "References removed (1)." }, { "date": "2026-03-23T00:53:53.035796Z", "number": "18", "summary": "References created (1)." }, { "date": "2026-03-23T05:15:49.492076Z", "number": "19", "summary": "References removed (1)." }, { "date": "2026-03-24T10:19:07.613652Z", "number": "20", "summary": "Products created (2).| Product Identifiers created (2)." }, { "date": "2026-03-24T10:19:12.406570Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:09.776910Z", "number": "22", "summary": "References created (1)." }, { "date": "2026-03-24T20:56:13.479625Z", "number": "23", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:12:59.788265Z", "number": "24", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| Products created (1).| References created (5).| CWES updated (1)." }, { "date": "2026-03-25T18:13:34.710826Z", "number": "25", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (5)." } ], "status": "interim", "version": "25" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-1441080", "product_identification_helper": { "cpe": "cpe:/a:redhat:acm:2" } } } ], "category": "product_name", "name": "Red Hat Advanced Cluster Management for Kubernetes 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2656613" } } ], "category": "product_name", "name": "acm-multicluster-observability-addon-rhel9" } ], "category": "product_family", "name": "Red Hat Advanced Cluster Management for Kubernetes 2" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.80.0-v2.20.0.20260317120401-d90285929ca0", "product": { "name": "vers:unknown/<1.80.0-v2.20.0.20260317120401-d90285929ca0", "product_id": "CSAFPID-5874597" } }, { "category": "product_version_range", "name": "vers:unknown/<3.4.9", "product": { "name": "vers:unknown/<3.4.9", "product_id": "CSAFPID-5897416", "product_identification_helper": { "cpe": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<1.80.0-v2.20.0.20260317120401-d90285929ca0", "product": { "name": "vers:unknown/>=0|<1.80.0-v2.20.0.20260317120401-d90285929ca0", "product_id": "CSAFPID-5907208" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.0.0-rc.1|<3.4.9", "product": { "name": "vers:unknown/>=3.0.0-rc.1|<3.4.9", "product_id": "CSAFPID-5874596" } }, { "category": "product_version_range", "name": "vers:unknown/>=4.0.0-rc.1|<4.12.3", "product": { "name": "vers:unknown/>=4.0.0-rc.1|<4.12.3", "product_id": "CSAFPID-5874595" } }, { "category": "product_version_range", "name": "vers:unknown/>=4.0.0|<4.12.3", "product": { "name": "vers:unknown/>=4.0.0|<4.12.3", "product_id": "CSAFPID-5897417", "product_identification_helper": { "cpe": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Zitadel" } ], "category": "vendor", "name": "Zitadel" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33132", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "description", "text": "### Summary\n\nA vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.\n\n### Impact\n\nZitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `urn:zitadel:iam:org:domain:primary:{domainname}`). If enforced, a user needs to be part of the required organization to sign in.\n\nWhile this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations.\n\nNote that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n- **4.x**: `4.0.0` through `4.12.2` (including RC versions)\n- **3.x**: `3.0.0` through `3.4.8` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints ([CreateCallback](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.CreateCallback) and [Authorize or Deny Device Authorization](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.AuthorizeOrDenyDeviceAuthorization) endpoints).\n\n4.x: Upgrade to >=[4.12.3](https://github.com/zitadel/zitadel/releases/tag/v4.12.3)\n3.x: Update to >=[3.4.9](https://github.com/zitadel/zitadel/releases/tag/v3.4.9)\n\n### Workarounds\n\nThe recommended solution is to upgrade to a patched version. \n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to @motoki317 for reporting this vulnerability.", "title": "github - https://github.com/advisories/GHSA-g2pf-ww5m-2r9m" }, { "category": "description", "text": "### Summary\n\nA vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.\n\n### Impact\n\nZitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `urn:zitadel:iam:org:domain:primary:{domainname}`). If enforced, a user needs to be part of the required organization to sign in.\n\nWhile this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations.\n\nNote that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n- **4.x**: `4.0.0` through `4.12.2` (including RC versions)\n- **3.x**: `3.0.0` through `3.4.8` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints ([CreateCallback](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.CreateCallback) and [Authorize or Deny Device Authorization](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.AuthorizeOrDenyDeviceAuthorization) endpoints).\n\n4.x: Upgrade to >=[4.12.3](https://github.com/zitadel/zitadel/releases/tag/v4.12.3)\n3.x: Update to >=[3.4.9](https://github.com/zitadel/zitadel/releases/tag/v3.4.9)\n\n### Workarounds\n\nThe recommended solution is to upgrade to a patched version. \n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to @motoki317 for reporting this vulnerability.", "title": "github - https://api.github.com/advisories/GHSA-g2pf-ww5m-2r9m" }, { "category": "description", "text": "ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33132.json" }, { "category": "description", "text": "ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33132" }, { "category": "description", "text": "A flaw was found in ZITADEL, an open-source identity management platform. A user could bypass organization enforcement during authentication due to missing controls in device authorization requests and specific login and OIDC API endpoints. This allowed users to sign in with credentials from other organizations, potentially leading to unauthorized information access.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33132.json" }, { "category": "description", "text": "### Summary\n\nA vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.\n\n### Impact\n\nZitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `urn:zitadel:iam:org:domain:primary:{domainname}`). If enforced, a user needs to be part of the required organization to sign in.\n\nWhile this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations.\n\nNote that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n- **4.x**: `4.0.0` through `4.12.2` (including RC versions)\n- **3.x**: `3.0.0` through `3.4.8` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by validating the provided scopes and enforcing the organization existence when processing the authorization request. Additionally it will prevent the use of a session of a user which does not belong to the required organization on the OIDC service endpoints ([CreateCallback](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.CreateCallback) and [Authorize or Deny Device Authorization](https://zitadel.com/docs/reference/api/oidc/zitadel.oidc.v2.OIDCService.AuthorizeOrDenyDeviceAuthorization) endpoints).\n\n4.x: Upgrade to >=[4.12.3](https://github.com/zitadel/zitadel/releases/tag/v4.12.3)\n3.x: Update to >=[3.4.9](https://github.com/zitadel/zitadel/releases/tag/v3.4.9)\n\n### Workarounds\n\nThe recommended solution is to upgrade to a patched version. \n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to @motoki317 for reporting this vulnerability.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g2pf-ww5m-2r9m.json?alt=media" }, { "category": "description", "text": "Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/zitadel/zitadel from v3.0.0-rc.1 before v3.4.9, from v4.0.0-rc.1 before v4.12.3.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4751.json?alt=media" }, { "category": "other", "text": "0.00055", "title": "EPSS" }, { "category": "other", "text": "5.2", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Nvd, Is related to CWE-863 (Incorrect Authorization)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is cvss data available from source Github", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 2\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5874595", "CSAFPID-5874596", "CSAFPID-5874597", "CSAFPID-1441080", "CSAFPID-2656613", "CSAFPID-5897416", "CSAFPID-5897417", "CSAFPID-5907208" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-g2pf-ww5m-2r9m" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-g2pf-ww5m-2r9m" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-g2pf-ww5m-2r9m" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33132.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33132" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33132.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g2pf-ww5m-2r9m.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4751.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-g2pf-ww5m-2r9m" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33132" }, { "category": "external", "summary": "Reference - github; osv; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33132" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-1441080", "CSAFPID-2656613", "CSAFPID-5874595", "CSAFPID-5874596", "CSAFPID-5874597", "CSAFPID-5897416", "CSAFPID-5897417", "CSAFPID-5907208" ] } ], "title": "CVE-2026-33132" } ] }