CVE-2025-27507CRITICAL 9.0EPSS p43.3%

CVE-2025-27507CVE-2025-27507

Description

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
EPSS0.58% probability of exploitation · percentile 43.3% · 2026-06-18T12:00:27Z
Published2025-03-04
Last modified2025-08-26

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4
  2. https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-53895
CVE
CVE-2026-29193
CVE
CVE-2025-64717
CVE
CVE-2025-67494
CVE
CVE-2025-48936
CVE
CVE-2026-29191
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.