Critical IDOR Vulnerabilities in ZITADEL Let Hackers Modify Key Settings

Security researchers have disclosed critical Insecure Direct Object Reference (IDOR) vulnerabilities in ZITADEL’s administration interface that expose organizations to account takeover risks and unauthorized configuration changes.

Tracked as CVE-2025-27507 with a CVSS v3.1 score of 9.1/10, these flaws allow authenticated users without proper permissions to manipulate sensitive LDAP configurations and other critical instance settings.

Vulnerability Overview

The vulnerabilities reside in ZITADEL’s Admin API, a component designed for system administrators to manage instance-level configurations.

Researchers identified 12 HTTP endpoints lacking proper authorization checks, enabling non-administrative users to access privileged functions.

The most severe flaws involve LDAP configuration endpoints (/idps/ldap and /idps/ldap/{id}), where attackers could:

1. Redirect LDAP authentication traffic to malicious servers, enabling credential interception and account hijacking
2. Extract the LDAP server’s credentials through API responses, compromising organizational directories

Non-LDAP configurations remain partially vulnerable through endpoints governing language settings (/text/message/passwordless_registration/{language}), branding templates (/policies/label/logo), and security policies (/policies/label/_activate).

Attackers could abuse these to deploy phishing interfaces or disable security controls.

The exploitability and consequences differ significantly based on deployment configurations:

• LDAP-Dependent Organizations: Full account takeover is achievable by rerouting authentication requests. A successful attack exposes all LDAP-linked user accounts and backend directory passwords.
• Non-LDAP Users: While immune to credential redirection, attackers could still alter instance branding, localization, and security policies—potentially enabling social engineering campaigns or service disruptions.

ZITADEL’s security team emphasizes that all instances require patching regardless of LDAP usage due to the cumulative risks of configuration tampering.

Mitigation and Patch Deployment

ZITADEL released updates across multiple supported versions to enforce role-based access controls (RBAC) on affected endpoints:

• v2.71.0+ for mainline deployments
• Backported fixes for versions 2.70.1, 2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8

Organizations must upgrade immediately and audit logs for unauthorized LDAP/config changes since exploit attempts leave minimal forensic traces.

As IDOR flaws remain prevalent in API-driven architectures, this incident underscores the need for continuous authorization testing—especially in identity management systems handling critical authentication flows.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free