CVE-2026-23511
published 2026-01-15CVE-2026-23511: ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.36%
28.1th percentile
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 3.4.6 | 3.4.6 |
| github.com | zitadel_zitadel | >= 4.0.0 < 4.9.1 | 4.9.1 |
| zitadel | zitadel | < 3.4.6 | 3.4.6 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | 2.0.0 – 2.71.19 | — |
| zitadel | zitadel | >= 3.0.0 < 3.4.6 | 3.4.6 |
| zitadel | zitadel | >= 4.0.0 < 4.9.1 | 4.9.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel
osv·2026-01-23
CVE-2026-23511 Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel
Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel
Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel before v3.4.6, from v4.0.0 before v4.9.1.
OSV
Zitadel has a user enumeration vulnerability in Login UIs
osv·2026-01-15
CVE-2026-23511 [MEDIUM] Zitadel has a user enumeration vulnerability in Login UIs
Zitadel has a user enumeration vulnerability in Login UIs
### Summary
A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.
### Impact
The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint.
By submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system's response.
For an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing [rate limiting](https://zitadel.com/
GHSA
Zitadel has a user enumeration vulnerability in Login UIs
ghsa·2026-01-15
CVE-2026-23511 [MEDIUM] CWE-203 Zitadel has a user enumeration vulnerability in Login UIs
Zitadel has a user enumeration vulnerability in Login UIs
### Summary
A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.
### Impact
The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint.
By submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system's response.
For an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing [rate limiting](https://zitadel.com/
No detection rules found.
No public exploits indexed.
https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858dhttps://github.com/zitadel/zitadel/releases/tag/v3.4.6https://github.com/zitadel/zitadel/releases/tag/v4.9.1https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r
2026-01-15
Published