Skip to main content

ZITADEL EUVDEUVD-2026-42966

| CVE-2026-56666 MEDIUM
Improper Authentication (CWE-287)
2026-07-10 GitHub_M
4.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
7.4 HIGH

Account takeover achieves full victim-account access, warranting C:H/I:H; AC:H retained due to permissive-IdP prerequisite.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:36 vuln.today

DescriptionCVE.org

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.

AnalysisAI

Account takeover in ZITADEL's external identity provider auto-linking logic prior to version 4.15.3 allows an unauthenticated network attacker to hijack a victim's local ZITADEL account. The handler confirms that the local user's email is verified but fails to require the external IdP to also confirm ownership of that same email address before completing the link - meaning an attacker who registers a victim's email on a permissive external IdP (one that does not enforce email verification) can silently gain full access to the victim's ZITADEL account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register victim email on permissive external IdP
Delivery
Initiate federated login to ZITADEL via that IdP
Exploit
ZITADEL handler checks local email is verified
Execution
Skip external IdP email ownership check
Persist
Auto-link attacker IdP account to victim local account
Impact
Gain authenticated session as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions to be simultaneously true: (1) at least one external identity provider must be configured in the ZITADEL instance for federated authentication, AND (2) that configured external IdP must be 'permissive' - meaning it allows users to register or claim email addresses without verifying ownership (i.e., the IdP does not confirm the registrant controls the email before issuing identity tokens). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N appropriately reflects the high attack complexity (AC:H) because exploitation requires that: (1) a permissive external IdP is configured in the ZITADEL deployment, and (2) that IdP does not enforce its own email verification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a ZITADEL deployment with a permissive external IdP (e.g., a self-hosted OIDC provider that allows unverified email addresses) configured alongside real user accounts. The attacker registers an account on that permissive IdP using the verified email address of a known ZITADEL user. …
Remediation The primary fix is to upgrade ZITADEL to version 4.15.3 or later, which is available at https://github.com/zitadel/zitadel/releases/tag/v4.15.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-49753 CRITICAL POC
9.1 Oct 25

Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot

CVE-2023-49097 HIGH POC
8.8 Nov 30

ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2026-29191 CRITICAL
9.3 Mar 07

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p

CVE-2025-27507 CRITICAL
9.0 Mar 04

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2024-49757 MEDIUM POC
4.9 Oct 25

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2022-36051 HIGH
8.8 Aug 31

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the

CVE-2025-31123 HIGH
8.7 Mar 31

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2024-29891 HIGH
8.7 Mar 27

ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi

CVE-2026-29193 HIGH
8.2 Mar 07

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

CVE-2026-56668 HIGH
8.1 Jul 10

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke

CVE-2026-29067 HIGH
8.1 Mar 07

ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For

CVE-2024-32868 HIGH
8.1 Apr 26

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM

Share

EUVD-2026-42966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy