Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Account takeover achieves full victim-account access, warranting C:H/I:H; AC:H retained due to permissive-IdP prerequisite.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.
AnalysisAI
Account takeover in ZITADEL's external identity provider auto-linking logic prior to version 4.15.3 allows an unauthenticated network attacker to hijack a victim's local ZITADEL account. The handler confirms that the local user's email is verified but fails to require the external IdP to also confirm ownership of that same email address before completing the link - meaning an attacker who registers a victim's email on a permissive external IdP (one that does not enforce email verification) can silently gain full access to the victim's ZITADEL account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific conditions to be simultaneously true: (1) at least one external identity provider must be configured in the ZITADEL instance for federated authentication, AND (2) that configured external IdP must be 'permissive' - meaning it allows users to register or claim email addresses without verifying ownership (i.e., the IdP does not confirm the registrant controls the email before issuing identity tokens). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N appropriately reflects the high attack complexity (AC:H) because exploitation requires that: (1) a permissive external IdP is configured in the ZITADEL deployment, and (2) that IdP does not enforce its own email verification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a ZITADEL deployment with a permissive external IdP (e.g., a self-hosted OIDC provider that allows unverified email addresses) configured alongside real user accounts. The attacker registers an account on that permissive IdP using the verified email address of a known ZITADEL user. … |
| Remediation | The primary fix is to upgrade ZITADEL to version 4.15.3 or later, which is available at https://github.com/zitadel/zitadel/releases/tag/v4.15.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot
ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely
ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42966