Summary
A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication.
Affected Versions
Systems running one of the following versions are affected:
- v4.x:
4.0.0-rc.1through4.6.5 - v3.x:
3.0.0-rc.1through3.4.3 - v2.x:
2.50.0through2.71.18
Workarounds
Upgrading to a patched version is the recommended solution.
Questions
If you have any questions or comments about this advisory, please email Zitadel at [email protected]
Credits
Thanks to Jan Kühnlein - kultify for finding and reporting the vulnerability.
Impact
This vulnerability stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process.
This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker's external identity to an existing internal user account.
This may result in a full Account Takeover, bypassing the organization's mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack. Also note that only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process.
The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The vulnerability has been addressed in the latest release. The patch resolves the issue by correctly validating the organization's login policy before auto-linking an external user.
Frequently Asked Questions
- What is CVE-2025-64717? CVE-2025-64717 is a high-severity improper authentication vulnerability in github.com/zitadel/zitadel (go), affecting versions >= 4.0.0-rc.1, < 4.6.6. It is fixed in 4.6.6, 3.4.4, 2.71.19, 1.80.0-v2.20.0.20251112124840-33c51deb2040. The application does not adequately verify the identity of a user, device, or process before granting access.
- Which versions of github.com/zitadel/zitadel are affected by CVE-2025-64717? github.com/zitadel/zitadel (go) versions >= 4.0.0-rc.1, < 4.6.6 is affected.
- Is there a fix for CVE-2025-64717? Yes. CVE-2025-64717 is fixed in 4.6.6, 3.4.4, 2.71.19, 1.80.0-v2.20.0.20251112124840-33c51deb2040. Upgrade to this version or later.
- Is CVE-2025-64717 exploitable, and should I be worried? Whether CVE-2025-64717 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-64717 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-64717?
- Upgrade
github.com/zitadel/zitadelto 4.6.6 or later - Upgrade
github.com/zitadel/zitadelto 3.4.4 or later - Upgrade
github.com/zitadel/zitadelto 2.71.19 or later - Upgrade
github.com/zitadel/zitadelto 1.80.0-v2.20.0.20251112124840-33c51deb2040 or later
- Upgrade