CVE-2026-33132 ZITADEL is missing enforcement of organization scopes

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes urn:zitadel:iam:org:id:...

PT-2026-26195

Summary A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication. Impact Zitadel allows applications to enforce an organzation context during authentication using scopes urn:zitadel:iam:org:id:id and...

GHSA-J8HF-CP34-G4J7 Dragonfly Manager Job API Unauthenticated Access

Summary Dragonfly Manager's Job REST API endpoints lack authentication, allowing unauthenticated attackers to create, query, modify, and delete jobs, potentially leading to resource exhaustion, information disclosure, and service disruption. Affected Products - Product: Dragonfly - Component:...

CVE-2025-59363

In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 even though this secret should only be returned when an App is first created,...

CVE-2025-32896

Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. Details Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and...