cbcvebase.
CVE-2026-44671
published 2026-05-14

CVE-2026-44671: ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity…

PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.48%
37.8th percentile
ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0.

Affected

7 ranges
VendorProductVersion rangeFixed in
github.comzitadel_zitadel2.71.11 – 2.71.19
github.comzitadel_zitadel>= 3.1.0 < 3.4.103.4.10
github.comzitadel_zitadel>= 4.0.0 < 4.15.04.15.0
zitadelzitadel
zitadelzitadel
zitadelzitadel>= 2.71.11 < 3.4.103.4.10
zitadelzitadel>= 4.0.0 < 4.15.04.15.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.