CVE-2026-29193
published 2026-03-07CVE-2026-29193: ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login…
PriorityP349high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.31%
22.9th percentile
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 4.0.0 < 4.12.1 | 4.12.1 |
| github.com | zitadel_zitadel_v2 | >= 4.0.0 < 4.12.1 | 4.12.1 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 4.0.0 < 4.12.1 | 4.12.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel
osv·2026-03-10
CVE-2026-29193 ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v4.0.0 before v4.12.1.
GHSA
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
ghsa·2026-03-04
CVE-2026-29193 [HIGH] CWE-287 ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
### Summary
A vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton.
### Impact
Zitadel enables administrators to configure their organization’s login behavior and security policies. As part of this functionality, they can disable user self-registration, enforce passwordless logins only, and more.
Due to improper enforcement an attacker could send direct HTTP requests to the login UI and create accounts in organizations that have disabled user self-registration, and gain unauthorized access to the system.
The same attack vector c
OSV
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
osv·2026-03-04
CVE-2026-29193 [HIGH] ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
### Summary
A vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton.
### Impact
Zitadel enables administrators to configure their organization’s login behavior and security policies. As part of this functionality, they can disable user self-registration, enforce passwordless logins only, and more.
Due to improper enforcement an attacker could send direct HTTP requests to the login UI and create accounts in organizations that have disabled user self-registration, and gain unauthorized access to the system.
The same attack vector c
No detection rules found.
No public exploits indexed.
2026-03-07
Published