Overview

CVE-2026-58165 is a privilege escalation vulnerability in OpenZiti, a zero-trust overlay network. The vulnerability affects OpenZiti versions up to 2.0.0 and is fixed in commit 3027fdf. This vulnerability allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator.

Understanding the Vulnerability / Threat

Root Cause Analysis

The root cause of this vulnerability is a design issue in the `ApplyCreate` function in `controller/model/enrollment_manager.go`. The function verifies only that the target identity exists without performing authorization checks binding the caller to the target identity. This allows an attacker to create enrollments for any identity, including the default administrator. This vulnerability belongs to the CWE-862 category, which is related to missing authorization.

Attack Surface & Vector

The attack surface of this vulnerability is the enrollment management endpoint. An attacker can reach this endpoint through the unauthenticated client API enrollment endpoint. The preconditions needed for this attack are that the attacker must have an authenticated non-admin identity with fine-grained enrollment management permissions.

Exploitation Mechanics — Scenario Walkthrough

Scenario: Compromising a Corporate OpenZiti Instance 1. Initial Position: An attacker has an authenticated non-admin identity with fine-grained enrollment management permissions in a corporate OpenZiti instance. 2. Triggering the Flaw: The attacker uses the enrollment management endpoint to create an enrollment for the default administrator identity. The `ApplyCreate` function verifies that the target identity exists but does not perform authorization checks to ensure the caller is bound to the target identity. 3. What Breaks: The security boundary fails because the authorization check is missing, allowing the attacker to create an enrollment for the default administrator identity. 4. Attacker's Prize: The attacker can redeem the resulting one-time token through the unauthenticated client API enrollment endpoint to obtain a client certificate authenticating as the targeted admin identity. This yields full administrative control of the controller and the zero-trust overlay it manages.

Real-World Impact

An attacker can use this vulnerability to gain full administrative control of the controller and the zero-trust overlay it manages. This can lead to a complete compromise of the corporate OpenZiti instance, allowing the attacker to manage the zero-trust overlay and potentially move laterally within the network.

Detection & Defense

Immediate Mitigations

The immediate mitigation for this vulnerability is to upgrade OpenZiti to a version that includes the fix, such as commit 3027fdf or later.

Detection Strategies

Defenders can detect exploitation attempts by monitoring the enrollment management endpoint for suspicious activity, such as unusual enrollment requests. They can also monitor the system logs for any signs of unauthorized access or privilege escalation.

Long-Term Hardening

To prevent this class of vulnerability, it is essential to implement robust authorization checks and ensure that the `ApplyCreate` function is properly secured. Additionally, defenders should implement defense-in-depth strategies, such as monitoring and logging, to detect and respond to potential security incidents.

Key Takeaways

* CVE-2026-58165 is a privilege escalation vulnerability in OpenZiti that allows authenticated non-admin identities to create enrollments for any identity, including the default administrator. * The vulnerability is caused by a design issue in the `ApplyCreate` function that lacks authorization checks. * An attacker can use this vulnerability to gain full administrative control of the controller and the zero-trust overlay it manages. * Immediate mitigation involves upgrading OpenZiti to a version that includes the fix. * Defenders should implement robust authorization checks and defense-in-depth strategies to prevent and detect this class of vulnerability.

Sources

* National Vulnerability Database (NVD) * OpenZiti GitHub repository