cbcvebase.

Github.Com Zitadel Zitadel vulnerabilities

40 known vulnerabilities affecting github.com/zitadel_zitadel.

Total CVEs
40
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH22MEDIUM12LOW2UNKNOWN1

Vulnerabilities

Page 1 of 2
CVE-2025-64103P2HIGH≥ 0, < 1.80.0-v2.20.0.20251029091250-b284f8474eed2025-10-29
CVE-2025-64103 [HIGH] CWE-287 Zitadel May Bypass Second Authentication Factor Zitadel May Bypass Second Authentication Factor ### Summary A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified. ### Impact Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens are issued for active sessions, which can be used as Bearer toke
ghsaosv
CVE-2025-64717P2HIGH≥ 4.0.0-rc.1, < 4.6.6≥ 3.0.0-rc.1, < 3.4.4+2 more2025-11-14
CVE-2025-64717 [HIGH] CWE-287 ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP ### Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. ### Impact This vulnerability stems from the platform's failure t
ghsaosv
CVE-2025-67494P3CRITICAL≥ 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e≥ 1.83.4, ≤ 1.87.5+1 more2025-12-08
CVE-2025-67494 [CRITICAL] CWE-918 ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login ### Summary Zitadel is vulnerable to an unauthenticated, full-read SSRF vulnerability. An unauthenticated remote attacker can force Zitadel into making HTTP requests to arbitrary domains, including internal addresses. The server then returns the upstream response to the attacker, enabling data exfiltration from internal services.
ghsaosv
CVE-2025-48936P3HIGH≥ 0, < 0.0.0-20250528081227-c097887bc5f62025-05-28
CVE-2025-48936 [HIGH] CWE-601 ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection ### Impact A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attack
ghsaosv
CVE-2024-49753P3MEDIUM≥ 2.64.0, < 2.64.1≥ 2.63.0, < 2.63.6+7 more2024-10-25
CVE-2024-49753 [MEDIUM] CWE-20 Denied Host Validation Bypass in Zitadel Actions Denied Host Validation Bypass in Zitadel Actions ### Summary A flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security mea
ghsaosv
CVE-2026-29067P3HIGH≥ 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e≥ 1.83.4, ≤ 1.87.5+1 more2025-12-08
CVE-2026-29067 [HIGH] CWE-601 ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login ### Summary A potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed t
ghsaosv
CVE-2025-27507P3CRITICAL≥ 0, < 2.63.8≥ 2.64.0, < 2.64.5+6 more2025-03-04
CVE-2025-27507 [CRITICAL] CWE-639 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations ### Summary ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate L
ghsaosv
CVE-2024-49757P4HIGHPoC≥ 2.63.0, < 2.63.5≥ 2.62.0, < 2.62.7+4 more2024-10-25
CVE-2024-49757 [HIGH] CWE-287 User Registration Bypass in Zitadel User Registration Bypass in Zitadel ### Impact Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.63.4, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. ### Patches 2.x versio
ghsaosv
CVE-2025-64102P3HIGH≥ 0, < 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc82025-10-29
CVE-2025-64102 [HIGH] CWE-307 Zitadel allows brute-forcing authentication factors Zitadel allows brute-forcing authentication factors ### Summary A vulnerability in Zitadel allowed brute-force attack on OTP, TOTP and password allowing to impersonate the attacked user. ### Impact An attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism.
ghsaosv
CVE-2025-64431P3HIGH≥ 4.0.0-rc.1, < 4.6.3≥ 1.80.0-v2.20.0.20250414095945-f365cee73242, < 1.80.0-v2.20.0.20251105083648-8dcfff97ed522025-11-05
CVE-2025-64431 [HIGH] CWE-639 IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering ### Summary ZITADEL's Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with specific **administrator** roles within one organization to access and modify data belonging to **other** organizations. ### Impact ZITADEL's Organ
ghsaosv
CVE-2022-36051P3HIGH≥ 2.0.0, < 2.2.0≥ 1.42.0, < 1.87.12022-08-30
CVE-2022-36051 [HIGH] CWE-436 Broken Authorization in ZITADEL Actions Broken Authorization in ZITADEL Actions ### Impact **Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role `ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization
ghsaosv
CVE-2026-44671P3HIGH≥ 4.0.0, < 4.15.0≥ 2.71.11, ≤ 2.71.19+1 more2026-05-08
CVE-2026-44671 [HIGH] CWE-90 ZITADEL has LDAP Filter Injection in Login Flow ZITADEL has LDAP Filter Injection in Login Flow ## Summary A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. ## Impact While this vulnerability does not allow for a full authenticati
ghsa
CVE-2024-29891P3HIGH≥ 0, < 2.42.17≥ 2.43.0, < 2.43.11+5 more2024-03-28
CVE-2024-29891 [HIGH] CWE-434 ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass ### Impact ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to dir
ghsaosv
CVE-2026-29193P3HIGH≥ 4.0.0, < 4.12.12026-03-04
CVE-2026-29193 [HIGH] CWE-287 ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication ### Summary A vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. ### Impact Zitadel enables administrators to
ghsaosv
CVE-2026-29191P3CRITICAL≥ 4.0.0, < 4.12.02026-03-04
CVE-2026-29191 [CRITICAL] CWE-79 ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint ### Summary A vulnerability was discovered in Zitadel's login V2 interface that allowed a possible account takeover. ### Impact Zitadel exposes an HTTP endpoint named /saml-post. This endpoint is used for handling requests to SAML IdPs and accepts two HTTP GET parameters: url and id. When these parameters are supplied, users’
ghsaosv
CVE-2025-46815P3HIGH≥ 3.0.0-rc.1, < 3.0.0≥ 0, < 2.70.10+1 more2025-05-06
CVE-2025-46815 [HIGH] CWE-294 ZITADEL Allows IdP Intent Token Reuse ZITADEL Allows IdP Intent Token Reuse ### Impact ZITADEL offers developers the ability to manage user sessions using the [Session API](https://zitadel.com/docs/category/apis/resources/session_service_v2/session-service). This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to au
ghsaosv
CVE-2023-49097P3HIGH≥ 2.39.0, < 2.39.9≥ 2.40.0, < 2.40.10+1 more2023-11-29
CVE-2023-49097 [HIGH] CWE-640 ZITADEL Account Takeover via Malicious Host Header Injection ZITADEL Account Takeover via Malicious Host Header Injection ### Impact ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users p
ghsaosv
CVE-2024-32868P3HIGH≥ 0, < 2.50.02024-04-25
CVE-2024-32868 [HIGH] CWE-287 ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass ### Impact ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. ### Patches 2.x versio
ghsaosv
CVE-2026-29192P3HIGH≥ 4.0.0, < 4.12.02026-03-04
CVE-2026-29192 [HIGH] CWE-79 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover ### Summary A vulnerability in Zitadel's login V2 interface was discovered, allowing for possible account takeover. ### Impact Zitadel allows organization administrators to change the default redirect URI for their organization. This setting enables them to redirect users to an arbitrary location after they log in. Due to
ghsaosv
CVE-2026-27945P3UNKNOWN≥ 0, < 1.80.0-v2.20.0.20260225053328-b2532e9666212026-03-10
CVE-2026-27945 ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affec
osv
Github.Com Zitadel Zitadel vulnerabilities | cvebase