High severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026
ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login
CVE-2026-29067
Description
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zitadel/zitadelGo | < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
github.com/zitadel/zitadelGo | >= 1.83.4, <= 1.87.5 | — |
github.com/zitadel/zitadelGo | >= 4.0.0-rc.1, < 4.7.1 | 4.7.1 |
github.com/zitadel/zitadel/v2Go | < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
Affected products
3- ghsa-coords2 versions
< 1.80.0-v2.20.0.20251208091519-4c879b47334e+ 1 more
- (no CPE)range: < 1.80.0-v2.20.0.20251208091519-4c879b47334e
- (no CPE)range: < 1.80.0-v2.20.0.20251208091519-4c879b47334e
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-pfrf-9r5f-73f5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29067ghsaADVISORY
- github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96ghsaWEB
- github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.