CVE-2026-29067
published 2026-03-07CVE-2026-29067: ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset…
PriorityP354critical9.3CVSS 3.1
AVNACLPRNUIRSCCHIHAN
EPSS
0.32%
23.9th percentile
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| github.com | zitadel_zitadel | 1.83.4 – 1.87.5 | — |
| github.com | zitadel_zitadel | >= 1.83.4 | — |
| github.com | zitadel_zitadel | >= 4.0.0-rc.1 < 4.7.1 | 4.7.1 |
| github.com | zitadel_zitadel_v2 | >= 0 < 1.80.0-v2.20.0.20251208091519-4c879b47334e | 1.80.0-v2.20.0.20251208091519-4c879b47334e |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 4.0.0 < 4.7.1 | 4.7.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
osv·2025-12-15
CVE-2026-29067 ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v4.0.0-rc.1 before v4.7.1.
GHSA
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
ghsa·2025-12-08
CVE-2026-29067 [HIGH] CWE-601 ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
### Summary
A potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.
### Impact
If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's passwor
OSV
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
osv·2025-12-08
CVE-2026-29067 [HIGH] ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
### Summary
A potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.
### Impact
If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's passwor
No detection rules found.
No public exploits indexed.
2026-03-07
Published