cbcvebase.
CVE-2026-23511
published 2026-01-15

CVE-2026-23511: ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login…

PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.36%
28.1th percentile
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.

Affected

7 ranges
VendorProductVersion rangeFixed in
github.comzitadel_zitadel>= 0 < 3.4.63.4.6
github.comzitadel_zitadel>= 4.0.0 < 4.9.14.9.1
zitadelzitadel< 3.4.63.4.6
zitadelzitadel
zitadelzitadel2.0.0 – 2.71.19
zitadelzitadel>= 3.0.0 < 3.4.63.4.6
zitadelzitadel>= 4.0.0 < 4.9.14.9.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.