VYPR

Vendor CVEs

Zitadel

All CVEs

52 total · sorted by risk
  • CVE-2025-64431HigNov 7, 2025
    risk 0.50cvss epss 0.00

    Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and…

  • CVE-2026-44671HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search…

  • CVE-2026-55672higJun 18, 2026
    risk 0.38cvss epss

    ### Summary Zitadel's OAuth2 / OIDC `CodeExchange` and `RefreshToken` implementations omit a critical validation step to ensure that the requesting client matches the client that originally initiated the authorization flow. This violates RFC 6749 Section 4.1.3, which mandates…

  • CVE-2026-55669Jun 18, 2026
    risk 0.00cvss epss

    ### Summary An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider (IdP) implementation. When validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer (`iss`),…

  • CVE-2026-55670lowJun 18, 2026
    risk 0.00cvss epss

    ### Summary A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original…

  • CVE-2026-55671lowJun 18, 2026
    risk 0.00cvss epss

    ### Summary A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting: * **HTTP Notification Channels:** Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. * **OIDC BackChannel…

  • CVE-2026-33132Mar 20, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes…

  • CVE-2026-32132Mar 11, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the…

  • CVE-2026-32131Mar 11, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read)…

  • CVE-2026-32130Mar 11, 2026
    risk 0.00cvss epss 0.01

    ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were…

  • CVE-2026-29067Mar 7, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for…

  • CVE-2026-29193Mar 7, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were…

  • CVE-2026-29192Mar 7, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.

  • CVE-2026-29191Mar 7, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0.

  • CVE-2026-27946Feb 26, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions…

  • CVE-2026-27945Feb 26, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's…

  • CVE-2026-27840Feb 26, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque…

  • CVE-2026-23511Jan 15, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating…

  • CVE-2025-67717Dec 11, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII,…

  • CVE-2025-67495Dec 9, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a…

  • CVE-2025-67494Dec 9, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including…

  • CVE-2025-64717Nov 13, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if…

  • CVE-2025-64103Oct 29, 2025
    risk 0.00cvss epss 0.00

    Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated…

  • CVE-2025-64102Oct 29, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or…

  • CVE-2025-64101Oct 29, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the…

  • CVE-2025-57770Aug 22, 2025
    risk 0.00cvss epss 0.00

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI…

  • CVE-2025-53895Jul 15, 2025
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a…

  • CVE-2025-48936May 30, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the…

  • CVE-2025-46815May 6, 2025
    risk 0.00cvss epss 0.00

    The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a…

  • CVE-2025-31124Mar 31, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't…

  • CVE-2025-31123Mar 31, 2025
    risk 0.00cvss epss 0.00

    Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with…

  • CVE-2025-27507Mar 4, 2025
    risk 0.00cvss epss 0.01

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify…

  • CVE-2024-49757Oct 25, 2024
    risk 0.00cvss epss 0.03

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option…

  • CVE-2024-49753Oct 25, 2024
    risk 0.00cvss epss 0.01

    Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1).…

  • CVE-2024-46999Sep 19, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management…

  • CVE-2024-47000Sep 19, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and…

  • CVE-2024-47060Sep 19, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to…

  • CVE-2024-41953Jul 31, 2024
    risk 0.00cvss epss 0.01

    Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include…

  • CVE-2024-41952Jul 31, 2024
    risk 0.00cvss epss 0.01

    Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't…

  • CVE-2024-39683Jul 3, 2024
    risk 0.00cvss epss 0.01

    ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without…

  • CVE-2024-32967May 1, 2024
    risk 0.00cvss epss 0.01

    Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point…

  • CVE-2024-32868Apr 25, 2024
    risk 0.00cvss epss 0.00

    ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there…

  • CVE-2024-29892Mar 27, 2024
    risk 0.00cvss epss 0.01

    ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To…

  • CVE-2024-29891Mar 27, 2024
    risk 0.00cvss epss 0.01

    ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the…

  • CVE-2024-28855Mar 18, 2024
    risk 0.00cvss epss 0.01

    ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1,…

  • CVE-2024-28197Mar 11, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take…

  • CVE-2023-49097Nov 30, 2023
    risk 0.00cvss epss 0.01

    ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the…

  • CVE-2023-47111Nov 8, 2023
    risk 0.00cvss epss 0.01

    ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum.…

  • CVE-2023-46238Oct 26, 2023
    risk 0.00cvss epss 0.00

    ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker…

  • CVE-2023-44399Oct 10, 2023
    risk 0.00cvss epss 0.01

    ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the…

Page 1 of 2