CVE-2025-27507 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-27507 Interim 1 7 2026-03-05T01:11:08Z current 2025-03-14T00:12:12Z 2026-03-05T01:11:08Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-27507 The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed govulncheck-vulndb-0.0.20250312T181707-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 libxml2-2-2.11.6-3.1 libxml2-tools-2.11.6-3.1 update-alternatives-1.22.0-slfo.1.1_2.1 libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/baremetal-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/kvm-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/rt-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/toolbox:latest libxml2-2-2.11.6-3.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-qcow update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-qcow libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-GCE govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250312T181707-1.1 as a component of openSUSE Tumbleweed The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8. CVE-2025-27507 Container suse/sl-micro/6.0/baremetal-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/base-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/kvm-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/rt-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/toolbox:latest:libxml2-2-2.11.6-3.1 Image SL-Micro:libxml2-2-2.11.6-3.1 Image SL-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro:libxml2-2-2.11.6-3.1 Image SLE-Micro:libxml2-tools-2.11.6-3.1 Image SLE-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1 critical