CVE-2025-46815: The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of ...

Description

The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.

Metrics

CVSS 3.1

8/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Probability

0.39%

30.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Zitadel	Zitadel	< 2.70.10	—
Zitadel	Zitadel	>= 2.71.0, < 2.71.9	—
Zitadel	Zitadel	3.0.0	Rc1

References

https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162Patch
https://github.com/zitadel/zitadel/releases/tag/v2.70.10Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.71.9Release Notes
https://github.com/zitadel/zitadel/releases/tag/v3.0.0Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fqVendor Advisory

Timeline

Published: May 6, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-46815?

The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.

How severe is CVE-2025-46815?

CVE-2025-46815 has a CVSS score of 8/10 (HIGH severity). The EPSS model estimates a 0.39% probability of exploitation in the next 30 days.

How do I fix CVE-2025-46815?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.