Skip to main content

ZITADEL Technical Advisories

Technical advisories are notices that report major issues with ZITADEL Self-Hosted or the ZITADEL Cloud platform that could potentially impact security or stability in production environments. These advisories may include details about the nature of the issue, its potential impact, and recommended mitigation actions.

Users are strongly encouraged to evaluate these advisories and consider the recommended mitigation actions independently from their version upgrade schedule. We understand that these advisories may include breaking changes, and we aim to provide clear guidance on how to address these changes.

AdvisoryNameTypeSummaryAffected versionsDate
A-10000Reusing user sessionBreaking Behavior Change

The default behavior for users logging in is to be directed to the Select Account Page on the Login. With the upcoming changes, users will be automatically authenticated when logging into a second application, as long as they only have one active session. No action is required on your part if this is the intended behavior.

2.32.0Calendar week 32
A-10001Login Policy - Allow RegisterBreaking Behavior Change

When disabling the option, users are currently not able to register locally and also not through an external IDP. With the upcoming change, the setting will only prevent local registration. Restriction to Identity Providers can be managed through the corresponding IDP Template. No action is required on your side if this is the intended behavior or if you already disabled registration on your IDP.

2.35.0Calendar week 34
A-10002Console - BrandingBreaking Design Change

Since Angular Material v15 many of the UI components have been refactored to be based on the official Material Design Components for Web (MDC). These refactored components do not support dynamic styling, so in order to keep the library up-to-date, the console UI will loose its dynamic theming capability. If you need users to have your branding settings (background-, button-, link and text coloring) you should implement your own user facing UI yourself and not use ZITADELs console UI. ZITADEL hosted Login-UI is not affected by this change.

2.40.0Calendar week 44
A-10003Login-UI - Default ContextBreaking Behavior Change

When users are redirected to the ZITADEL Login-UI without any organizational context, they're currently presented a login screen, based on the default settings, e.g. available IDPs and possible login mechanisms. If the user will then register themselves, by the registration form or through an IDP, the user will always be created on the default organization. With the introduced change, the settings will no longer be loaded from the instance, but rather the default organization directly.

2.38.0Calendar week 41
A-10004Sequence uniquenesBreaking Behavior Change

Due to storage optimisations ZITADEL changes the behavior of sequences. This change improves command (create, update, delete) performance of ZITADEL. Sequences are no longer unique inside an instance. From now on sequences are upcounting per aggregate id. For example sequences of newly created users begin at 1. Existing sequences remain untouched.

2.39.02023-10-14
A-10005Expected downtime during upgradeExpected downtime during upgrade

Migrating to versions >= 2.39 from < 2.39 will cause down time during setup starts and the new version is started. This is caused by storage optimisations which replace the eventstore.events database table with the new eventstore.events2 table. All existing events are migrated during the execution of the zitadel setup command. New events will be inserted into the new eventstore.events2 table. The old table evetstore.events is renamed to eventstore.events_old and will be dropped in a future release of ZITADEL.

2.39.0Calendar week 41/42 2023
A-10006Additional grant to cockroach database userBreaking Behavior Change

Versions >= 2.39.0 require the cockroach database user of ZITADEL to be granted to the VIEWACTIVITY grant. This can either be reached by grant the role manually or execute the zitadel init command.

2.39.0Calendar week 41/42 2023
A-10007Additional grant to cockroach database userBreaking Behavior Change

Upcoming Versions require the SYSTEM_OWNER role to be available in the permission role mappings. Self-hosting ZITADEL users who define custom permission role mappings need to make sure their system users don't lose access to the system API.

UpcomingUpcoming
A-10008New flag to prefill projections during setup instead of after startFeature description

New flag --init-projections introduced to zitadel setup commands (setup, start-from-setup, start-from-init)

2.44.0, 2.43.6, 2.42.122024-01-25
A-10009Ensure lock distribution for FOR UPDATE-statements on CockroachdbFeature description

Fixes rare cases where updating projections was blocked by a WRITE_TOO_OLD-error when using cockroachdb.

2.53.02024-05-28
A-10010Event type of token added event changedBreaking Behavior Change

Version 2.53.0 improves the token issuance. Due to this there are changes to the event types created on token creation.

2.53.02024-05-28
A-10011Identity Provider options: allow "auto" onlyBreaking Behavior Change

Version 2.59.0 allows more combinations in the identity provider options. Due to this there might be unexpected behavior changes.

2.59.02024-08-19

Subscribe to our Mailing List​

If you want to stay up to date on our technical advisories, we recommend subscribing to the mailing list. Go to the subscription form and add your email address.

As ZITADEL Cloud customer, you can also login to the ZITADEL Customer Portal and enable the Technical Advisory Notifications in your settings.

Categories​

Breaking Behavior Change​

A breaking behavior change refers to a modification or update that changes the behavior of ZITADEL. This change does not necessarily affect the APIs or any functions you are calling, so it may not require an update to your code. However, if you rely on specific results or behaviors, they may no longer be guaranteed after the change is implemented. Therefore, it is important to be aware of breaking behavior changes and their potential impact on your use of ZITADEL, and to take appropriate action if needed to ensure continued functionality.

Expected downtime during upgrade​

Expected downtime during upgrade means that ZITADEL might become unavailable during an upgrade. ZITADEL is built for zero downtime upgrades at upgrades can be executed without downtime by just updating to a more recent version. When deploying certain changes a zero downtime upgrade might not be possible, for example to guarantee data integrity. In such cases we will issue a technical advisory to make you aware of this unexpected behavior.