CVE-2026-58165
OpenZiti - Privilege Escalation to Admin via Unauthorized Enrollment Creation
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.7EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. Attackers can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity, yielding full administrative control of the controller and the zero-trust overlay it manages.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
openziti · zitipublic PoCs found — 1
cve_referencegithub.com/openziti/ziti/issues/4010unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →