Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.
Impact
While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory.
Note that an authentication bypass is not possible.
Affected Versions
Systems integrating LDAP as IdPs and running one of the following versions are affected:
- 4.x:
4.0.0through4.14.0(including RC versions) - 3.x:
3.1.0through3.4.9 - 2.x:
2.71.11through2.71.19
Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.
Workarounds
The recommended solution is to upgrade to a patched version. If an immediate upgrade is not possible, developers should ensure their project's LDAP directory has strict access controls to limit the scope of information disclosure.
Questions
If there are any questions or comments about this advisory, please send an email to [security@zitadel.com](mailto:security@zitadel.com)
Credits
This vulnerability was identified and reported by ProScan AppSec (https://proscan.one/).
AnalysisAI
LDAP Filter Injection in Zitadel's identity provider implementation allows unauthenticated remote attackers to enumerate valid usernames and extract sensitive LDAP directory attributes through blind injection techniques. The vulnerability exists in Zitadel versions 2.71.11-2.71.19, 3.1.0-3.4.9, and 4.0.0-4.14.0 when LDAP is configured as an identity provider. Exploitation requires no authentication (CVSS PR:N) and has network attack vector (AV:N) with low complexity (AC:L), resulting in high confidentiality impact (C:H) but no authentication bypass capability. Vendor-released patches are available for 3.x (3.4.10) and 4.x (4.15.0) branches. No public exploit identified at time of analysis, though the attack technique is well-documented in security research.
Technical ContextAI
This vulnerability stems from improper neutralization of special elements in LDAP queries (CWE-90: LDAP Injection). Zitadel, an open-source identity and access management platform written in Go (pkg:go/github.com/zitadel/zitadel), integrates with LDAP directories as identity providers for authentication. The flaw occurs when user-supplied usernames from login forms are incorporated into LDAP search filter strings without proper sanitization or escaping. LDAP search filters use special metacharacters like parentheses, asterisks, and backslashes to construct query logic. By injecting these characters (e.g., transforming 'username' to 'user*' or 'user)(objectClass=*)'), attackers can modify the search filter's logical structure. This creates a blind injection scenario where attackers observe timing differences or error messages to infer directory contents. The vulnerability is specific to deployments using LDAP as an IdP backend, not affecting other authentication methods like OAuth or SAML.
RemediationAI
Upgrade to patched versions immediately: Zitadel 4.x users should upgrade to version 4.15.0 or later (https://github.com/zitadel/zitadel/releases/tag/v4.15.0), and Zitadel 3.x users should update to version 3.4.10 or later (https://github.com/zitadel/zitadel/releases/tag/v3.4.10). For Zitadel 2.x deployments (2.71.11-2.71.19), the vendor advisory indicates upgrading to 3.4.10 is the remediation path, as no 2.x patch is released. If immediate patching is not feasible, implement strict LDAP directory access controls to limit the scope of enumerable attributes - specifically, configure LDAP ACLs to prevent anonymous binds from reading sensitive user attributes beyond basic authentication fields, and consider IP allowlisting for LDAP queries to trusted Zitadel instances only. This workaround reduces information disclosure severity but does not eliminate username enumeration risk. Organizations not using LDAP as an identity provider are unaffected and require no action. Monitor application logs for unusual login patterns (rapid sequential failures with special characters in usernames) that may indicate exploitation attempts.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30492
GHSA-rxvx-hhpj-q6px