Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    114 vulnerabilities found for zitadel by zitadel

    CVE-2026-56668 (GCVE-0-2026-56668)

    Vulnerability from nvd – Published: 2026-07-10 17:46 – Updated: 2026-07-10 17:46
    VLAI
    Title
    ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL\u0027s OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token\u0027s scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:46:25.937Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-vrh8-c9cm-wh8v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-vrh8-c9cm-wh8v"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/e2886a61670ca8fd41c9434f87036546e5620bcc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/e2886a61670ca8fd41c9434f87036546e5620bcc"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3"
            }
          ],
          "source": {
            "advisory": "GHSA-vrh8-c9cm-wh8v",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56668",
        "datePublished": "2026-07-10T17:46:25.937Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T17:46:25.937Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56667 (GCVE-0-2026-56667)

    Vulnerability from nvd – Published: 2026-07-10 17:25 – Updated: 2026-07-10 20:58
    VLAI
    Title
    ZITADEL: Stored XSS via Default URI Redirect in Login V2
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. This issue is fixed in version 4.15.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:48:13.845508Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:58:28.907Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user\u0027s browser when an affected login error path is reached. This issue is fixed in version 4.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:25:46.882Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-5wcj-9wj4-j65h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-5wcj-9wj4-j65h"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/038265925a3b05ac1df8aad461ab071983e9eb85",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/038265925a3b05ac1df8aad461ab071983e9eb85"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3"
            }
          ],
          "source": {
            "advisory": "GHSA-5wcj-9wj4-j65h",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Stored XSS via Default URI Redirect in Login V2"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56667",
        "datePublished": "2026-07-10T17:25:46.882Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T20:58:28.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56666 (GCVE-0-2026-56666)

    Vulnerability from nvd – Published: 2026-07-10 17:37 – Updated: 2026-07-10 17:37
    VLAI
    Title
    ZITADEL: Auto-linking by email: IdP-side email verification is not checked
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL\u0027s external identity provider handler checks that the local user\u0027s email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim\u0027s local account. This issue is fixed in version 4.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:37:37.137Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-992q-9gwp-7r79",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-992q-9gwp-7r79"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/c97012f0c5dc2fe960ae6e940cbea23229f0557f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/c97012f0c5dc2fe960ae6e940cbea23229f0557f"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3"
            }
          ],
          "source": {
            "advisory": "GHSA-992q-9gwp-7r79",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Auto-linking by email: IdP-side email verification is not checked"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56666",
        "datePublished": "2026-07-10T17:37:37.137Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T17:37:37.137Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56665 (GCVE-0-2026-56665)

    Vulnerability from nvd – Published: 2026-07-10 17:22 – Updated: 2026-07-10 18:17
    VLAI
    Title
    ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56665",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:17:34.928689Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:17:48.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL\u0027s external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:22:46.079Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v77h-2w3m-94hx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v77h-2w3m-94hx"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-v77h-2w3m-94hx",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56665",
        "datePublished": "2026-07-10T17:22:46.079Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T18:17:48.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56664 (GCVE-0-2026-56664)

    Vulnerability from nvd – Published: 2026-07-10 17:21 – Updated: 2026-07-10 18:01
    VLAI
    Title
    ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56664",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:01:03.850160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:01:25.422Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL\u0027s external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:21:22.653Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wxg7-w2v3-w38g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wxg7-w2v3-w38g"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wxg7-w2v3-w38g",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56664",
        "datePublished": "2026-07-10T17:21:22.653Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T18:01:25.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55672 (GCVE-0-2026-55672)

    Vulnerability from nvd – Published: 2026-07-10 17:19 – Updated: 2026-07-10 18:38
    VLAI
    Title
    ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55672",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:38:05.489144Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:38:10.755Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL\u0027s OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:19:05.266Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xqxv-4jc2-x56x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xqxv-4jc2-x56x"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/562403079a98cf2059cdac11865a45e2f285be71",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/562403079a98cf2059cdac11865a45e2f285be71"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/5b1708e0e650398f0ebc3341714f0798b0118917",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/5b1708e0e650398f0ebc3341714f0798b0118917"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-xqxv-4jc2-x56x",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55672",
        "datePublished": "2026-07-10T17:19:05.266Z",
        "dateReserved": "2026-06-17T00:05:03.778Z",
        "dateUpdated": "2026-07-10T18:38:10.755Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55671 (GCVE-0-2026-55671)

    Vulnerability from nvd – Published: 2026-07-10 17:17 – Updated: 2026-07-10 17:17
    VLAI
    Title
    ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
    Summary
    ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL\u0027s HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:17:50.095Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-29jh-8cfq-rr8x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-29jh-8cfq-rr8x"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/b6f78086913b8d916bce9ab2e049ab0d84f947fd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/b6f78086913b8d916bce9ab2e049ab0d84f947fd"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-29jh-8cfq-rr8x",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55671",
        "datePublished": "2026-07-10T17:17:50.095Z",
        "dateReserved": "2026-06-17T00:05:03.778Z",
        "dateUpdated": "2026-07-10T17:17:50.095Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55670 (GCVE-0-2026-55670)

    Vulnerability from nvd – Published: 2026-07-10 17:15 – Updated: 2026-07-10 20:58
    VLAI
    Title
    ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55670",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:46:22.799188Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:58:36.084Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL\u0027s event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization\u0027s administrator. This issue is fixed in version 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:15:44.783Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6x8v-2fq5-2229",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6x8v-2fq5-2229"
            },
            {
              "name": "https://github.com/zitadel/zitadel/pull/12261",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/pull/12261"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/a939b847d90c3370bd162064e57764b89c01be46",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/a939b847d90c3370bd162064e57764b89c01be46"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-6x8v-2fq5-2229",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55670",
        "datePublished": "2026-07-10T17:15:44.783Z",
        "dateReserved": "2026-06-17T00:05:03.777Z",
        "dateUpdated": "2026-07-10T20:58:36.084Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55669 (GCVE-0-2026-55669)

    Vulnerability from nvd – Published: 2026-07-10 16:58 – Updated: 2026-07-10 18:16
    VLAI
    Title
    ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted by ZITADEL. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55669",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:16:38.817721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:16:52.558Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL\u0027s external JWT Identity Provider validates a token\u0027s signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted by ZITADEL. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T16:59:39.408Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g5h5-m4hm-xjrr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g5h5-m4hm-xjrr"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-g5h5-m4hm-xjrr",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55669",
        "datePublished": "2026-07-10T16:58:46.140Z",
        "dateReserved": "2026-06-17T00:05:03.777Z",
        "dateUpdated": "2026-07-10T18:16:52.558Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44671 (GCVE-0-2026-44671)

    Vulnerability from nvd – Published: 2026-05-14 21:13 – Updated: 2026-05-15 18:05
    VLAI
    Title
    ZITADEL: LDAP Filter Injection in Login Flow
    Summary
    ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 2.71.11, < 3.4.10
    Affected: >= 4.0.0, < 4.15.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44671",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T15:28:24.578778Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T18:05:06.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.71.11, \u003c 3.4.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel\u0027s LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-90",
                  "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T21:13:03.077Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-rxvx-hhpj-q6px",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-rxvx-hhpj-q6px"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.10"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.0"
            }
          ],
          "source": {
            "advisory": "GHSA-rxvx-hhpj-q6px",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: LDAP Filter Injection in Login Flow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44671",
        "datePublished": "2026-05-14T21:13:03.077Z",
        "dateReserved": "2026-05-07T16:20:08.659Z",
        "dateUpdated": "2026-05-15T18:05:06.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33132 (GCVE-0-2026-33132)

    Vulnerability from nvd – Published: 2026-03-20 10:21 – Updated: 2026-03-20 19:31
    VLAI
    Title
    ZITADEL is missing enforcement of organization scopes
    Summary
    ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.12.3
    Affected: >= 3.0.0-rc.1, < 3.4.9
    Affected: < 1.80.0-v2.20.0.20260317120401-d90285929ca0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T19:30:52.294049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T19:31:30.207Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.12.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0-rc.1, \u003c 3.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.80.0-v2.20.0.20260317120401-d90285929ca0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-20T10:21:19.373Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3"
            }
          ],
          "source": {
            "advisory": "GHSA-g2pf-ww5m-2r9m",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL is missing enforcement of organization scopes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33132",
        "datePublished": "2026-03-20T10:21:19.373Z",
        "dateReserved": "2026-03-17T20:35:49.928Z",
        "dateUpdated": "2026-03-20T19:31:30.207Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32132 (GCVE-0-2026-32132)

    Vulnerability from nvd – Published: 2026-03-11 21:40 – Updated: 2026-03-12 16:17
    VLAI
    Title
    ZITADEL: Reactivation of Expired Passkey Registration Codes
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.2
    Affected: < 3.4.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T15:11:28.138761Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T16:17:54.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel\u0027s passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim\u0027s account. This vulnerability is fixed in 3.4.8 and 4.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-11T21:40:07.055Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2x66-r53r-9r86",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2x66-r53r-9r86"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-2x66-r53r-9r86",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Reactivation of Expired Passkey Registration Codes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32132",
        "datePublished": "2026-03-11T21:40:07.055Z",
        "dateReserved": "2026-03-10T22:19:36.545Z",
        "dateUpdated": "2026-03-12T16:17:54.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32131 (GCVE-0-2026-32131)

    Vulnerability from nvd – Published: 2026-03-11 21:38 – Updated: 2026-03-12 16:18
    VLAI
    Title
    ZITADEL Cross-Tenant Information Disclosure in Management API
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.2
    Affected: < 3.4.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32131",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T15:44:01.072159Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T16:18:01.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel\u0027s Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant\u2019s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-11T21:40:24.067Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wr6r-59xg-4pj2",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL Cross-Tenant Information Disclosure in Management API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32131",
        "datePublished": "2026-03-11T21:38:51.942Z",
        "dateReserved": "2026-03-10T22:19:36.545Z",
        "dateUpdated": "2026-03-12T16:18:01.726Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32130 (GCVE-0-2026-32130)

    Vulnerability from nvd – Published: 2026-03-11 21:37 – Updated: 2026-03-12 16:18
    VLAI
    Title
    ZITADEL SCIM Authentication Bypass via URL Encoding
    Summary
    ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.2
    Affected: >= 2.68.0, < 3.4.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T15:15:07.742217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T16:18:08.397Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.68.0, \u003c 3.4.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-11T21:37:07.369Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-83pv-4xxp-rm2x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-83pv-4xxp-rm2x"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-83pv-4xxp-rm2x",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL SCIM Authentication Bypass via URL Encoding"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32130",
        "datePublished": "2026-03-11T21:37:07.369Z",
        "dateReserved": "2026-03-10T22:19:36.545Z",
        "dateUpdated": "2026-03-12T16:18:08.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29193 (GCVE-0-2026-29193)

    Vulnerability from nvd – Published: 2026-03-07 15:11 – Updated: 2026-03-09 18:27
    VLAI
    Title
    ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2
    Summary
    ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29193",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-09T17:43:41.438986Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-09T18:27:32.981Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel\u0027s login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-07T15:11:06.415Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8"
            }
          ],
          "source": {
            "advisory": "GHSA-25rw-g6ff-fmg8",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29193",
        "datePublished": "2026-03-07T15:11:06.415Z",
        "dateReserved": "2026-03-04T14:44:00.715Z",
        "dateUpdated": "2026-03-09T18:27:32.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29192 (GCVE-0-2026-29192)

    Vulnerability from nvd – Published: 2026-03-07 15:09 – Updated: 2026-03-09 20:44
    VLAI
    Title
    ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
    Summary
    ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-09T20:39:42.474571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-09T20:44:25.436Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel\u0027s login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-07T15:09:53.454Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7"
            }
          ],
          "source": {
            "advisory": "GHSA-6rx5-m2rc-hmf7",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29192",
        "datePublished": "2026-03-07T15:09:53.454Z",
        "dateReserved": "2026-03-04T14:44:00.714Z",
        "dateUpdated": "2026-03-09T20:44:25.436Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56668 (GCVE-0-2026-56668)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:46 – Updated: 2026-07-10 17:46
    VLAI
    Title
    ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL\u0027s OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token\u0027s scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:46:25.937Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-vrh8-c9cm-wh8v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-vrh8-c9cm-wh8v"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/e2886a61670ca8fd41c9434f87036546e5620bcc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/e2886a61670ca8fd41c9434f87036546e5620bcc"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3"
            }
          ],
          "source": {
            "advisory": "GHSA-vrh8-c9cm-wh8v",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56668",
        "datePublished": "2026-07-10T17:46:25.937Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T17:46:25.937Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56666 (GCVE-0-2026-56666)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:37 – Updated: 2026-07-10 17:37
    VLAI
    Title
    ZITADEL: Auto-linking by email: IdP-side email verification is not checked
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL\u0027s external identity provider handler checks that the local user\u0027s email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim\u0027s local account. This issue is fixed in version 4.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:37:37.137Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-992q-9gwp-7r79",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-992q-9gwp-7r79"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/c97012f0c5dc2fe960ae6e940cbea23229f0557f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/c97012f0c5dc2fe960ae6e940cbea23229f0557f"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3"
            }
          ],
          "source": {
            "advisory": "GHSA-992q-9gwp-7r79",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Auto-linking by email: IdP-side email verification is not checked"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56666",
        "datePublished": "2026-07-10T17:37:37.137Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T17:37:37.137Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56667 (GCVE-0-2026-56667)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:25 – Updated: 2026-07-10 20:58
    VLAI
    Title
    ZITADEL: Stored XSS via Default URI Redirect in Login V2
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. This issue is fixed in version 4.15.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:48:13.845508Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:58:28.907Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user\u0027s browser when an affected login error path is reached. This issue is fixed in version 4.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:25:46.882Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-5wcj-9wj4-j65h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-5wcj-9wj4-j65h"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/038265925a3b05ac1df8aad461ab071983e9eb85",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/038265925a3b05ac1df8aad461ab071983e9eb85"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.3"
            }
          ],
          "source": {
            "advisory": "GHSA-5wcj-9wj4-j65h",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Stored XSS via Default URI Redirect in Login V2"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56667",
        "datePublished": "2026-07-10T17:25:46.882Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T20:58:28.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56665 (GCVE-0-2026-56665)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:22 – Updated: 2026-07-10 18:17
    VLAI
    Title
    ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56665",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:17:34.928689Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:17:48.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL\u0027s external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:22:46.079Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v77h-2w3m-94hx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v77h-2w3m-94hx"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-v77h-2w3m-94hx",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56665",
        "datePublished": "2026-07-10T17:22:46.079Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T18:17:48.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56664 (GCVE-0-2026-56664)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:21 – Updated: 2026-07-10 18:01
    VLAI
    Title
    ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56664",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:01:03.850160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:01:25.422Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL\u0027s external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:21:22.653Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wxg7-w2v3-w38g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wxg7-w2v3-w38g"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/4925fab849d39a88674485d937b79e54318b48a8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/d1c3aa84af8fcb0f33910ada30b866f4afb551ac"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wxg7-w2v3-w38g",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56664",
        "datePublished": "2026-07-10T17:21:22.653Z",
        "dateReserved": "2026-06-22T16:39:01.043Z",
        "dateUpdated": "2026-07-10T18:01:25.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55672 (GCVE-0-2026-55672)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:19 – Updated: 2026-07-10 18:38
    VLAI
    Title
    ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55672",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:38:05.489144Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:38:10.755Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL\u0027s OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:19:05.266Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xqxv-4jc2-x56x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xqxv-4jc2-x56x"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/562403079a98cf2059cdac11865a45e2f285be71",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/562403079a98cf2059cdac11865a45e2f285be71"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/5b1708e0e650398f0ebc3341714f0798b0118917",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/5b1708e0e650398f0ebc3341714f0798b0118917"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-xqxv-4jc2-x56x",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55672",
        "datePublished": "2026-07-10T17:19:05.266Z",
        "dateReserved": "2026-06-17T00:05:03.778Z",
        "dateUpdated": "2026-07-10T18:38:10.755Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55671 (GCVE-0-2026-55671)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:17 – Updated: 2026-07-10 17:17
    VLAI
    Title
    ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
    Summary
    ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL\u0027s HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:17:50.095Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-29jh-8cfq-rr8x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-29jh-8cfq-rr8x"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/b6f78086913b8d916bce9ab2e049ab0d84f947fd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/b6f78086913b8d916bce9ab2e049ab0d84f947fd"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-29jh-8cfq-rr8x",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55671",
        "datePublished": "2026-07-10T17:17:50.095Z",
        "dateReserved": "2026-06-17T00:05:03.778Z",
        "dateUpdated": "2026-07-10T17:17:50.095Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55670 (GCVE-0-2026-55670)

    Vulnerability from cvelistv5 – Published: 2026-07-10 17:15 – Updated: 2026-07-10 20:58
    VLAI
    Title
    ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
    Summary
    ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: < 4.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55670",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:46:22.799188Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:58:36.084Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL\u0027s event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization\u0027s administrator. This issue is fixed in version 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T17:15:44.783Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6x8v-2fq5-2229",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6x8v-2fq5-2229"
            },
            {
              "name": "https://github.com/zitadel/zitadel/pull/12261",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/pull/12261"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/a939b847d90c3370bd162064e57764b89c01be46",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/a939b847d90c3370bd162064e57764b89c01be46"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-6x8v-2fq5-2229",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55670",
        "datePublished": "2026-07-10T17:15:44.783Z",
        "dateReserved": "2026-06-17T00:05:03.777Z",
        "dateUpdated": "2026-07-10T20:58:36.084Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55669 (GCVE-0-2026-55669)

    Vulnerability from cvelistv5 – Published: 2026-07-10 16:58 – Updated: 2026-07-10 18:16
    VLAI
    Title
    ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted by ZITADEL. This issue is fixed in versions 3.4.12 and 4.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.15.2
    Affected: < 3.4.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55669",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T18:16:38.817721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T18:16:52.558Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.15.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL\u0027s external JWT Identity Provider validates a token\u0027s signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted by ZITADEL. This issue is fixed in versions 3.4.12 and 4.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T16:59:39.408Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g5h5-m4hm-xjrr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g5h5-m4hm-xjrr"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
            }
          ],
          "source": {
            "advisory": "GHSA-g5h5-m4hm-xjrr",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55669",
        "datePublished": "2026-07-10T16:58:46.140Z",
        "dateReserved": "2026-06-17T00:05:03.777Z",
        "dateUpdated": "2026-07-10T18:16:52.558Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44671 (GCVE-0-2026-44671)

    Vulnerability from cvelistv5 – Published: 2026-05-14 21:13 – Updated: 2026-05-15 18:05
    VLAI
    Title
    ZITADEL: LDAP Filter Injection in Login Flow
    Summary
    ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 2.71.11, < 3.4.10
    Affected: >= 4.0.0, < 4.15.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44671",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T15:28:24.578778Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T18:05:06.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.71.11, \u003c 3.4.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel\u0027s LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-90",
                  "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T21:13:03.077Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-rxvx-hhpj-q6px",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-rxvx-hhpj-q6px"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.10"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.15.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.0"
            }
          ],
          "source": {
            "advisory": "GHSA-rxvx-hhpj-q6px",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: LDAP Filter Injection in Login Flow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44671",
        "datePublished": "2026-05-14T21:13:03.077Z",
        "dateReserved": "2026-05-07T16:20:08.659Z",
        "dateUpdated": "2026-05-15T18:05:06.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33132 (GCVE-0-2026-33132)

    Vulnerability from cvelistv5 – Published: 2026-03-20 10:21 – Updated: 2026-03-20 19:31
    VLAI
    Title
    ZITADEL is missing enforcement of organization scopes
    Summary
    ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints. This allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.12.3
    Affected: >= 3.0.0-rc.1, < 3.4.9
    Affected: < 1.80.0-v2.20.0.20260317120401-d90285929ca0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T19:30:52.294049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T19:31:30.207Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0-rc.1, \u003c 4.12.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0-rc.1, \u003c 3.4.9"
                },
                {
                  "status": "affected",
                  "version": "\u003c 1.80.0-v2.20.0.20260317120401-d90285929ca0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes (urn:zitadel:iam:org:id:{id} and urn:zitadel:iam:org:domain:primary:{domainname}). If enforced, a user needs to be part of the required organization to sign in. While this was properly enforced for OAuth2/OIDC authorization requests in login V1, corresponding controls were missing for device authorization requests and all login V2 and OIDC API V2 endpoints.\nThis allowed users to bypass the restriction and sign in with users from other organizations. Note that this enforcement allows for an additional check during authentication and applications relying on authorizations / roles assignments are not affected by this bypass. This issue has been patched in versions 3.4.9 and 4.12.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-20T10:21:19.373Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m"
            },
            {
              "name": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.9"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.3"
            }
          ],
          "source": {
            "advisory": "GHSA-g2pf-ww5m-2r9m",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL is missing enforcement of organization scopes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33132",
        "datePublished": "2026-03-20T10:21:19.373Z",
        "dateReserved": "2026-03-17T20:35:49.928Z",
        "dateUpdated": "2026-03-20T19:31:30.207Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32132 (GCVE-0-2026-32132)

    Vulnerability from cvelistv5 – Published: 2026-03-11 21:40 – Updated: 2026-03-12 16:17
    VLAI
    Title
    ZITADEL: Reactivation of Expired Passkey Registration Codes
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.2
    Affected: < 3.4.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T15:11:28.138761Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T16:17:54.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel\u0027s passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim\u0027s account. This vulnerability is fixed in 3.4.8 and 4.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-11T21:40:07.055Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2x66-r53r-9r86",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2x66-r53r-9r86"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-2x66-r53r-9r86",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL: Reactivation of Expired Passkey Registration Codes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32132",
        "datePublished": "2026-03-11T21:40:07.055Z",
        "dateReserved": "2026-03-10T22:19:36.545Z",
        "dateUpdated": "2026-03-12T16:17:54.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32131 (GCVE-0-2026-32131)

    Vulnerability from cvelistv5 – Published: 2026-03-11 21:38 – Updated: 2026-03-12 16:18
    VLAI
    Title
    ZITADEL Cross-Tenant Information Disclosure in Management API
    Summary
    ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.2
    Affected: < 3.4.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32131",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T15:44:01.072159Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T16:18:01.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 3.4.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel\u0027s Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant\u2019s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-11T21:40:24.067Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wr6r-59xg-4pj2"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-wr6r-59xg-4pj2",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL Cross-Tenant Information Disclosure in Management API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32131",
        "datePublished": "2026-03-11T21:38:51.942Z",
        "dateReserved": "2026-03-10T22:19:36.545Z",
        "dateUpdated": "2026-03-12T16:18:01.726Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32130 (GCVE-0-2026-32130)

    Vulnerability from cvelistv5 – Published: 2026-03-11 21:37 – Updated: 2026-03-12 16:18
    VLAI
    Title
    ZITADEL SCIM Authentication Bypass via URL Encoding
    Summary
    ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    zitadel zitadel Affected: >= 4.0.0, < 4.12.2
    Affected: >= 2.68.0, < 3.4.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T15:15:07.742217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T16:18:08.397Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "zitadel",
              "vendor": "zitadel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.0.0, \u003c 4.12.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.68.0, \u003c 3.4.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-11T21:37:07.369Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-83pv-4xxp-rm2x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-83pv-4xxp-rm2x"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.8"
            },
            {
              "name": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zitadel/zitadel/releases/tag/v4.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-83pv-4xxp-rm2x",
            "discovery": "UNKNOWN"
          },
          "title": "ZITADEL SCIM Authentication Bypass via URL Encoding"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32130",
        "datePublished": "2026-03-11T21:37:07.369Z",
        "dateReserved": "2026-03-10T22:19:36.545Z",
        "dateUpdated": "2026-03-12T16:18:08.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }