VYPR
High severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026

ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login

CVE-2026-29067

Description

ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/zitadel/zitadelGo
< 1.80.0-v2.20.0.20251208091519-4c879b47334e1.80.0-v2.20.0.20251208091519-4c879b47334e
github.com/zitadel/zitadelGo
>= 1.83.4, <= 1.87.5
github.com/zitadel/zitadelGo
>= 4.0.0-rc.1, < 4.7.14.7.1
github.com/zitadel/zitadel/v2Go
< 1.80.0-v2.20.0.20251208091519-4c879b47334e1.80.0-v2.20.0.20251208091519-4c879b47334e

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.