CVE-2025-64717: 
Chainguard vulnerability analysis and mitigation

A vulnerability (CVE-2025-64717) was discovered in ZITADEL's federation process that allowed unauthorized account takeover through external identity providers. The vulnerability was disclosed on November 14, 2025, affecting ZITADEL versions 4.0.0-rc.1 through 4.6.5, 3.0.0-rc.1 through 3.4.3, and 2.50.0 through 2.71.18. The issue allowed auto-linking users from external identity providers to existing ZITADEL users even when the IdP was deactivated or federation was disallowed (GitHub Advisory).

The vulnerability stems from a failure to properly validate organization security settings during the authentication flow. The platform would incorrectly validate logins and link external identities to internal accounts based on matching criteria, without honoring disabled IdP settings or federation restrictions. The vulnerability has a CVSS v4 score of 7.4 (High) with a vector string of CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. Only IdPs created at the instance level were affected, while IdPs registered on other organizations would be properly denied in the linking process (GitHub Advisory).

An unauthenticated attacker could initiate a login using a disabled IdP and gain full account takeover access, effectively bypassing the organization's security controls. However, accounts with Multi-Factor Authentication (MFA) enabled were protected from this attack vector (GitHub Advisory).

The vulnerability has been patched in versions 4.6.6, 3.4.4, and 2.71.19. Users are advised to upgrade to these or later versions. The patch implements proper validation of organization login policies before allowing auto-linking of external users. No alternative workarounds are provided, and upgrading to a patched version is the recommended solution (GitHub Advisory).