### Summary Zitadel's User Service discloses the total number of instance users to unauthorized users. ### Impact The ZITADEL User Service exposes the total number of users within an instance to any authenticated user, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the `totalResult` field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. ### Affected Versions Systems running one of the following version are affected: - **4.x**: `4.0.0-rc.1` through `4.7.1` - **3.x*…
GHSA-f4cf-9rvr-2rcx: Zitadel Discloses the Total Number of Instance Users
Zitadel User Service discloses total instance user count to unauthorized users, posing an information disclosure vulnerability in versions 4.x and 3.x.