11 matches found
CVE-2026-56295
Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...
EUVD-2026-38122
Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP
Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. Impact This vulnerability stems from the...
EUVD-2025-175316
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP...
CVE-2025-64717
ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...
CVE-2025-64717
ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...
CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP
ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...
CVE-2025-64717
Summary of CVE-2025-64717 (ZITADEL): A flaw in ZITADELās federation/auto-linking during authentication allows linking an external IdP user to an existing internal user when the IdP is deactivated or not permitted for the organization. This can enable an unauthenticated account takeover, unless MF...
CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP
ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding Id...
PT-2025-46850
Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.50.0 through 2.71.18 ZITADEL versions 3.0.0-rc.1 through 3.4.3 ZITADEL versions 4.0.0-rc.1 through 4.6.5 Description ZITADEL, an open source identity management platform, has a flaw in its federation process. This issue allo...
Secure Mail gives Error: Your organization does not allow this action
- User opens Secure Mail. - Goes into Contacts. - Selects a contact. - Clicks on the contacts phone number. - Sees error message:Your organization does not allow this action...