CVE-2026-55670

Severity CVSS v4.0:
LOW
Type:
CWE-284 Improper Access Control
Publication date:
10/07/2026
Last modified:
10/07/2026

Description

ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.