Skip to main content

Zitadel CVE-2025-31124

MEDIUM
Information Exposure (CWE-200)
2025-03-31 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:34 vuln.today
Patch released
Mar 28, 2026 - 18:34 nvd
Patch available
CVE Published
Mar 31, 2025 - 20:15 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.

AnalysisAI

Zitadel is open-source identity infrastructure software. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9. Affected products include: Zitadel.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2024-49753 CRITICAL POC
9.1 Oct 25

Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot

CVE-2023-49097 HIGH POC
8.8 Nov 30

ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2026-29191 CRITICAL
9.3 Mar 07

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p

CVE-2025-27507 CRITICAL
9.0 Mar 04

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2024-49757 MEDIUM POC
4.9 Oct 25

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2022-36051 HIGH
8.8 Aug 31

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the

CVE-2025-31123 HIGH
8.7 Mar 31

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2024-29891 HIGH
8.7 Mar 27

ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi

CVE-2026-29193 HIGH
8.2 Mar 07

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

CVE-2026-56668 HIGH
8.1 Jul 10

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke

CVE-2026-29067 HIGH
8.1 Mar 07

ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For

CVE-2024-32868 HIGH
8.1 Apr 26

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM

Share

CVE-2025-31124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy