Github.Com Zitadel Zitadel vulnerabilities
40 known vulnerabilities affecting github.com/zitadel_zitadel.
Total CVEs
40
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH22MEDIUM12LOW2UNKNOWN1
Vulnerabilities
Page 2 of 2
CVE-2026-27946P3HIGH≥ 4.0.0, < 4.11.1≥ 2.43.0, < 3.4.7+1 more2026-02-27
CVE-2026-27946 [HIGH] CWE-862 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
### Summary
A vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process.
### Impact
Zitadel provides an API for managing users. The API also allows users to self-manage their own data including updating the email and phone.
Due
ghsaosv
CVE-2024-28197P3HIGH≥ 0, < 2.44.3≥ 2.45.0, < 2.45.12024-03-11
CVE-2024-28197 [HIGH] CWE-269 Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
### Impact
ZITADEL uses a cookie to identify the user agent (browser) and its user sessions.
Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the
ghsaosv
CVE-2024-39683P3MEDIUM≥ 2.0.0, < 2.53.8≥ 2.54.0, < 2.54.5+1 more2024-07-05
CVE-2024-39683 [MEDIUM] CWE-200 ZITADEL Vulnerable to Session Information Leakage
ZITADEL Vulnerable to Session Information Leakage
### Impact
ZITADEL provides users the ability to list all user sessions of the current user agent (browser) by API and in the Console UI.
Due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions.
Note that the Login UI was never affected and th
ghsaosv
CVE-2026-33132P4MEDIUM≥ 4.0.0-rc.1, < 4.12.3≥ 3.0.0-rc.1, < 3.4.9+1 more2026-03-18
CVE-2026-33132 [MEDIUM] CWE-863 Zitadel is missing enforcement of organization scopes
Zitadel is missing enforcement of organization scopes
### Summary
A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication.
### Impact
Zitadel allows applications to enforce an organzation context during authentication using [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) (`urn:zitadel:iam:org:id:{id}` and `ur
ghsaosv
CVE-2025-67495P4HIGH≥ 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e≥ 1.83.4, ≤ 1.87.5+1 more2025-12-08
CVE-2025-67495 [HIGH] CWE-79 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
### Summary
A potential vulnerability exists in ZITADEL's logout endpoint in login V2. This endpoint accepts serval parameters including a `post_logout_redirect`. When this parameter is specified, users will be redirected to the site that is provided via this parameter.
ZITADEL's login UI did not ensure that this
ghsaosv
CVE-2026-23511P4MEDIUM≥ 4.0.0, < 4.9.1≥ 0, < 3.4.62026-01-15
CVE-2026-23511 [MEDIUM] CWE-203 Zitadel has a user enumeration vulnerability in Login UIs
Zitadel has a user enumeration vulnerability in Login UIs
### Summary
A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.
### Impact
The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an em
ghsaosv
CVE-2023-22492P4MEDIUM≥ 2.17.0, < 2.17.3≥ 2.0.0, < 2.16.42023-01-11
CVE-2023-22492 [MEDIUM] CWE-613 Zitadel RefreshToken invalidation vulnerability
Zitadel RefreshToken invalidation vulnerability
### Impact
RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI.
RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant.
When the
ghsaosv
CVE-2023-44399P4MEDIUM≥ 0, < 2.37.32023-10-10
CVE-2023-44399 [MEDIUM] CWE-640 ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting
ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting
### Impact
ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant th
ghsaosv
CVE-2024-28855P4HIGH≥ 1.80.1, < 2.41.15≥ 2.42.0, < 2.42.15+7 more2024-03-18
CVE-2024-28855 [HIGH] CWE-20 Improper HTML sanitization in ZITADEL
Improper HTML sanitization in ZITADEL
### Impact
ZITADEL uses Go templates to render the login UI.
Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen.
While it was possible to inject HTML including javascript, the execution of suc
ghsaosv
CVE-2024-41953P4MEDIUM≥ 1.80.1, < 2.52.3≥ 2.53.0, < 2.53.9+7 more2024-07-31
CVE-2024-41953 [MEDIUM] CWE-79 ZITADEL has improper HTML sanitization in emails and Console UI
ZITADEL has improper HTML sanitization in emails and Console UI
### Impact
ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code.
This may potentially lead to a threat where an attacker, without privileges, could send out alt
ghsaosv
CVE-2024-29892P4HIGH≥ 0, < 2.42.17≥ 2.43.0, < 2.43.11+5 more2024-03-28
CVE-2024-29892 [HIGH] CWE-863 ZITADEL's actions can overload reserved claims
ZITADEL's actions can overload reserved claims
### Impact
Under certain circumstances an action could set [reserved claims](https://zitadel.com/docs/apis/openidoauth/claims#reserved-claims) managed by ZITADEL.
For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`
```json
{"urn:zitadel:iam:user:resourceowner:name": "ACME"}
```
if it was not set by ZITADEL itself.
To compensate f
ghsaosv
CVE-2024-32967P4MEDIUM≥ 2.50.0, < 2.50.3≥ 2.49.0, < 2.49.5+3 more2024-05-01
CVE-2024-32967 [MEDIUM] CWE-200 Zitadel exposing internal database user name and host information
Zitadel exposing internal database user name and host information
### Impact
In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user.
### Patches
2.x versions are fixed on >= [2.50.3](https://github.com/zitadel/zitadel/releases/tag/v2.50.3)
2.49.x versions are fixed on >= [2.49.5](https://github.com/zita
ghsaosv
CVE-2024-41952P4MEDIUM≥ 2.53.0, < 2.53.9≥ 2.54.0, < 2.54.8+6 more2024-07-31
CVE-2024-41952 [MEDIUM] CWE-203 ZITADEL "ignoring unknown usernames" vulnerability
ZITADEL "ignoring unknown usernames" vulnerability
### Impact
ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid".
Due to a implementation change to prevent deadlocks calling the database, the fla
ghsaosv
CVE-2026-27840P4MEDIUM≥ 4.0.0, < 4.11.0≥ 3.0.0, < 3.4.7+2 more2026-02-27
CVE-2026-27840 [MEDIUM] CWE-302 ZITADEL's truncated opaque tokens are still valid
ZITADEL's truncated opaque tokens are still valid
### Summary
Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid.
ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, bu
ghsaosv
CVE-2025-67717P4MEDIUM≥ 4.0.0-rc.1, < 4.7.2≥ 2.44.0, < 3.4.5+1 more2025-12-10
CVE-2025-67717 [MEDIUM] CWE-497 Zitadel Discloses the Total Number of Instance Users
Zitadel Discloses the Total Number of Instance Users
### Summary
Zitadel's User Service discloses the total number of instance users to unauthorized users.
### Impact
The ZITADEL User Service exposes the total number of users within an instance to any authenticated user, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the `to
ghsaosv
CVE-2023-47111P4HIGH≥ 2.39.0, < 2.40.5≥ 0, < 2.38.32023-11-08
CVE-2023-47111 [HIGH] CWE-362 ZITADEL race condition in lockout policy execution
ZITADEL race condition in lockout policy execution
### Impact
ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum.
Exceeding the limit, will lock the user and prevent further authentication.
In the affected implementation it was po
ghsaosv
CVE-2026-55672HIGH≥ 0, < 1.80.0-v2.20.0.20260616131956-0973b074b4882026-06-18
CVE-2026-55672 [HIGH] CWE-287 ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
### Summary
Zitadel's OAuth2 / OIDC `CodeExchange` and `RefreshToken` implementations omit a critical validation step to ensure that the requesting client matches the client that originally initiated the auth
ghsa
CVE-2026-55669MEDIUM≥ 0, < 1.80.0-v2.20.0.20260615132747-d184e976fc792026-06-18
CVE-2026-55669 [MEDIUM] CWE-346 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
### Summary
An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.
When validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer (`iss`), but it fails to validate the audience (`aud`)
ghsa
CVE-2026-55670LOW≥ 0, < 1.80.0-v2.20.0.20260615092437-6082e59d47c12026-06-18
CVE-2026-55670 [LOW] CWE-284 ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
### Summary
A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original organization if the previous ID would be used to recreate it.
### Impact
Whe
ghsa
CVE-2026-55671LOW≥ 0, < 1.80.0-v2.20.0.20260615133614-8e82ec1cb9a22026-06-18
CVE-2026-55671 [LOW] CWE-918 ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
### Summary
A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting:
* **HTTP Notification Channels:** Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks.
* **OIDC BackChannel Logout:** Ter
ghsa
← Previous2 / 2