The ZITADEL project, an open-source identity and access management solution, has issued a critical security advisory regarding multiple Insecure Direct Object Reference (IDOR) vulnerabilities in their Admin API. These vulnerabilities, tracked as CVE-2025-27507 and assigned a CVSS score of 9.0, could allow authenticated users to modify sensitive settings and potentially gain unauthorized access to user accounts.
“ZITADEL’s Admin API, intended for managing ZITADEL instances, contains 12 HTTP endpoints that are unexpectedly accessible to authenticated ZITADEL users who are not ZITADEL managers,” the advisory states. The most severe vulnerabilities affect endpoints related to LDAP configuration, a popular protocol for user authentication.
By exploiting these vulnerabilities, attackers could:
- Modify ZITADEL’s instance LDAP settings: This could allow malicious actors to redirect all LDAP login attempts to a server under their control, effectively taking over user accounts.
- Expose the original LDAP server’s password: This could compromise all user accounts associated with that server.
“By accessing these endpoints, unauthorized users could modify ZITADEL’s instance LDAP settings, redirecting all LDAP login attempts to a malicious server, effectively taking over user accounts,” warns the advisory.
While the most critical vulnerabilities primarily impact ZITADEL instances utilizing LDAP for authentication, the advisory also details several other vulnerable endpoints that could allow unauthorized modification of instance settings such as languages, labels, and templates.
ZITADEL urges all users to upgrade to the patched version as soon as possible. Patches are available for various versions of ZITADEL 2.x, with specific details outlined in the official security advisory.
CVE-2025-27507 was discovered by Amit Laish, a senior security researcher from GE Vernova. ZITADEL has expressed gratitude to Laish for responsibly reporting the vulnerability.
