CVE-2025-46815
HIGHDescription
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
Is your site exposed to CVE-2025-46815?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
| zitadel | zitadel |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-46815? +
How severe is CVE-2025-46815? +
What products are affected by CVE-2025-46815? +
How do I check if I'm vulnerable to CVE-2025-46815? +
Related Vulnerabilities
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie …
A weakness identified in OpenText Advanced Authentication where a Malicious browser plugin can record and replay the user authentication process …
Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a …
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key …
Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the …
Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password …