CVE Catalog

CVE-2026-58165

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

In OpenZiti through version 2.0.0 (fixed in commit 3027fdf), a privilege escalation vulnerability exists. An authenticated non-admin identity with fine-grained enrollment management permissions can create an enrollment token for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go only verifies the target identity exists without performing authorization checks binding the caller to the target identity.

Risk Assessment

An attacker can redeem the one-time token via the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.

Recommendation

Immediately update OpenZiti to a version containing commit 3027fdf or later. Restrict granting fine-grained enrollment management permissions only to trusted identities.

Original NVD description (English source)

OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS