VYPR

Zitadel

by Zitadel

Source repositories

CVEs (52)

  • CVE-2025-67494Dec 9, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including…

  • CVE-2025-64717Nov 13, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if…

  • CVE-2025-64103Oct 29, 2025
    risk 0.00cvss epss 0.00

    Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated…

  • CVE-2025-64102Oct 29, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or…

  • CVE-2025-64101Oct 29, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the…

  • CVE-2025-57770Aug 22, 2025
    risk 0.00cvss epss 0.00

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI…

  • CVE-2025-53895Jul 15, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a…

  • CVE-2025-48936May 30, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the…

  • CVE-2025-46815May 6, 2025
    risk 0.00cvss epss 0.00

    The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a…

  • CVE-2025-31124Mar 31, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't…

  • CVE-2025-31123Mar 31, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with…

  • CVE-2025-27507Mar 4, 2025
    risk 0.00cvss epss 0.01

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify…

  • CVE-2024-49757Oct 25, 2024
    risk 0.00cvss epss 0.03

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option…

  • CVE-2024-49753Oct 25, 2024
    risk 0.00cvss epss 0.01

    Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1).…

  • CVE-2024-46999Sep 19, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management…

  • CVE-2024-47000Sep 19, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and…

  • CVE-2024-47060Sep 19, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to…

  • CVE-2024-41953Jul 31, 2024
    risk 0.00cvss epss 0.01

    Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include…

  • CVE-2024-41952Jul 31, 2024
    risk 0.00cvss epss 0.01

    Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't…

  • CVE-2024-39683Jul 3, 2024
    risk 0.00cvss epss 0.01

    ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without…