CVE-2022-36051 is a medium-severity vulnerability affecting ZITADEL, an identity and access management platform that combines features similar to Auth0 and Keycloak. The vulnerability arises from an interpretation conflict (CWE-436) in the implementation of the "Actions" feature introduced in ZITADEL version 1.42.0 for the API and 1.56.0 for the Console. Actions allow users with the ORG_OWNER role to create JavaScript code that executes at specific points during the login process, enabling automation such as programmatically granting authorizations (user grants) to newly created users. However, due to a missing authorization check, these Actions can inadvertently grant authorizations to projects belonging to other organizations within the same ZITADEL instance. This cross-organization privilege escalation occurs only when using the Actions feature and does not affect authorization grants made directly via the API or Console. The vulnerability impacts ZITADEL versions from 1.42.0 up to but not including 1.87.1 and versions >= 2.0.0 and < 2.2.0. There is currently no known workaround, and users are advised to update to a patched version once available. No known exploits have been reported in the wild. The flaw could allow an ORG_OWNER to escalate privileges beyond their organization boundaries, potentially compromising confidentiality and integrity of data across organizations sharing the same ZITADEL instance. The vulnerability does not require user interaction beyond the ORG_OWNER role's ability to create Actions, but it requires that the attacker has ORG_OWNER privileges within their own organization. The vulnerability is classified under CWE-436, indicating an interpretation conflict leading to improper authorization enforcement.

For European organizations using ZITADEL for identity and access management, this vulnerability poses a risk of unauthorized privilege escalation across organizational boundaries within the same ZITADEL instance. This could lead to unauthorized access to sensitive project data, user information, and potentially allow manipulation of user authorizations in other organizations. The impact is particularly significant for multi-tenant deployments where multiple organizations share a single ZITADEL instance, such as managed service providers or large enterprises with multiple subsidiaries. Confidentiality and integrity of data across organizations can be compromised, potentially violating GDPR and other data protection regulations. Availability impact is limited as the vulnerability does not directly cause denial of service. However, the breach of trust and unauthorized access could lead to reputational damage and regulatory penalties. Since the vulnerability requires ORG_OWNER privileges, the threat is limited to insiders or compromised accounts with elevated roles, but the risk remains high in environments where role assignments are not tightly controlled. The lack of a workaround means organizations must prioritize patching to mitigate risk. Given ZITADEL's growing adoption in Europe, especially among organizations seeking open-source IAM solutions, the vulnerability could affect a broad range of sectors including finance, healthcare, and government agencies.

1. Immediate patching: Organizations should monitor ZITADEL releases and apply updates to versions beyond 1.87.1 or 2.2.0 as soon as they become available to remediate the vulnerability. 2. Restrict ORG_OWNER role assignment: Limit the number of users with ORG_OWNER privileges to the minimum necessary and enforce strict role management policies to reduce the risk of misuse. 3. Audit Actions usage: Review existing Actions scripts created by ORG_OWNER users to detect any suspicious or unauthorized code that could exploit this vulnerability. 4. Segregate instances: Where possible, avoid multi-tenant deployments that host multiple organizations on the same ZITADEL instance to reduce cross-organization risk. 5. Monitor logs and alerts: Implement monitoring to detect unusual authorization grants or cross-organization access patterns that may indicate exploitation attempts. 6. Implement strong authentication and account security controls for ORG_OWNER accounts to prevent compromise. 7. Engage with ZITADEL support or community to stay informed about patches and best practices related to this vulnerability. These steps go beyond generic advice by focusing on role management, auditing, and architectural considerations specific to ZITADEL's multi-tenant environment.