CVE-2025-46815 is a high-severity vulnerability affecting the identity infrastructure software ZITADEL, specifically related to insufficient session expiration (CWE-613). ZITADEL provides developers with a Session API that manages user sessions and supports identity providers (IdPs) through 'idp intents'. After a successful authentication via an IdP, the client receives an identifier (id) and token on a predefined URI, which are then used to authenticate the user session. Prior to fixed versions 3.0.0, 2.71.9, and 2.70.10, an attacker with access to the application’s URI could repeatedly exploit the idp intent mechanism to retrieve valid ids and tokens. This flaw allows the attacker to impersonate users by authenticating on their behalf without needing prior credentials. The vulnerability does not allow full API access if multi-factor authentication (MFA) is enabled, as MFA blocks complete authentication. The vulnerability is characterized by a high CVSS score of 8.0, reflecting network attack vector, high complexity, no privileges required, and user interaction needed, with a scope change and high impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild, and no workarounds exist other than upgrading to patched versions. The underlying issues relate to improper session expiration and token reuse, which can lead to session fixation or hijacking attacks, undermining the trustworthiness of the authentication process.

For European organizations relying on ZITADEL for identity and session management, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to user accounts, potentially exposing sensitive personal data, intellectual property, or critical business systems. Given the role of identity infrastructure in securing access to cloud services, internal applications, and third-party integrations, attackers could leverage this flaw to escalate privileges or move laterally within networks. The confidentiality and integrity of user sessions are directly threatened, increasing the risk of data breaches and compliance violations under regulations such as GDPR. Organizations without MFA are particularly vulnerable to full compromise. The lack of availability impact means service disruption is unlikely, but stealthy unauthorized access could persist undetected. The vulnerability’s exploitation requires access to the application URI and user interaction, which may limit mass exploitation but still represents a serious threat in targeted attacks or insider threat scenarios.

The primary and only effective mitigation is to upgrade ZITADEL to versions 3.0.0, 2.71.9, or 2.70.10 or later, where the vulnerability is fixed. Organizations should prioritize patching affected deployments immediately. Additionally, enforcing multi-factor authentication (MFA) significantly reduces the risk of full authentication compromise and should be mandated for all users. Monitoring and logging of session creation and token issuance events should be enhanced to detect abnormal repeated idp intent usage patterns indicative of exploitation attempts. Restricting access to the application’s URI endpoints to trusted networks or via VPN can reduce exposure. Implementing short session lifetimes and token expiration policies beyond the default can limit the window of opportunity for attackers. Security teams should conduct regular audits of session management configurations and educate developers on secure use of the Session API to avoid insecure reuse of tokens. Finally, incident response plans should be updated to include detection and remediation steps for session hijacking scenarios.