Skip to main content

Zitadel CVE-2026-44671

| EUVDEUVD-2026-30492 HIGH
LDAP Injection (CWE-90)
2026-05-08 https://github.com/zitadel/zitadel GHSA-rxvx-hhpj-q6px
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 17:46 vuln.today
Analysis Generated
May 08, 2026 - 17:46 vuln.today
CVE Published
May 08, 2026 - 17:11 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.

Impact

While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory.

Note that an authentication bypass is not possible.

Affected Versions

Systems integrating LDAP as IdPs and running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.14.0 (including RC versions)
  • 3.x: 3.1.0 through 3.4.9
  • 2.x: 2.71.11 through 2.71.19

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.

Workarounds

The recommended solution is to upgrade to a patched version. If an immediate upgrade is not possible, developers should ensure their project's LDAP directory has strict access controls to limit the scope of information disclosure.

Questions

If there are any questions or comments about this advisory, please send an email to [security@zitadel.com](mailto:security@zitadel.com)

Credits

This vulnerability was identified and reported by ProScan AppSec (https://proscan.one/).

AnalysisAI

LDAP Filter Injection in Zitadel's identity provider implementation allows unauthenticated remote attackers to enumerate valid usernames and extract sensitive LDAP directory attributes through blind injection techniques. The vulnerability exists in Zitadel versions 2.71.11-2.71.19, 3.1.0-3.4.9, and 4.0.0-4.14.0 when LDAP is configured as an identity provider. Exploitation requires no authentication (CVSS PR:N) and has network attack vector (AV:N) with low complexity (AC:L), resulting in high confidentiality impact (C:H) but no authentication bypass capability. Vendor-released patches are available for 3.x (3.4.10) and 4.x (4.15.0) branches. No public exploit identified at time of analysis, though the attack technique is well-documented in security research.

Technical ContextAI

This vulnerability stems from improper neutralization of special elements in LDAP queries (CWE-90: LDAP Injection). Zitadel, an open-source identity and access management platform written in Go (pkg:go/github.com/zitadel/zitadel), integrates with LDAP directories as identity providers for authentication. The flaw occurs when user-supplied usernames from login forms are incorporated into LDAP search filter strings without proper sanitization or escaping. LDAP search filters use special metacharacters like parentheses, asterisks, and backslashes to construct query logic. By injecting these characters (e.g., transforming 'username' to 'user*' or 'user)(objectClass=*)'), attackers can modify the search filter's logical structure. This creates a blind injection scenario where attackers observe timing differences or error messages to infer directory contents. The vulnerability is specific to deployments using LDAP as an IdP backend, not affecting other authentication methods like OAuth or SAML.

RemediationAI

Upgrade to patched versions immediately: Zitadel 4.x users should upgrade to version 4.15.0 or later (https://github.com/zitadel/zitadel/releases/tag/v4.15.0), and Zitadel 3.x users should update to version 3.4.10 or later (https://github.com/zitadel/zitadel/releases/tag/v3.4.10). For Zitadel 2.x deployments (2.71.11-2.71.19), the vendor advisory indicates upgrading to 3.4.10 is the remediation path, as no 2.x patch is released. If immediate patching is not feasible, implement strict LDAP directory access controls to limit the scope of enumerable attributes - specifically, configure LDAP ACLs to prevent anonymous binds from reading sensitive user attributes beyond basic authentication fields, and consider IP allowlisting for LDAP queries to trusted Zitadel instances only. This workaround reduces information disclosure severity but does not eliminate username enumeration risk. Organizations not using LDAP as an identity provider are unaffected and require no action. Monitor application logs for unusual login patterns (rapid sequential failures with special characters in usernames) that may indicate exploitation attempts.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

CVE-2026-44671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy