Zitadel
Monthly
Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 token to exchange it for elevated permissions at a different application, because the token-exchange endpoint fails to bind the subject token to the requesting client and does not constrain requested scopes to the original token's scopes. Any authenticated principal with a valid low-scope token can escalate laterally across relying applications; no public exploit is identified at time of analysis and it is not listed in CISA KEV. A vendor patch (4.15.3) and fixing commit are available.
Account takeover in ZITADEL's external identity provider auto-linking logic prior to version 4.15.3 allows an unauthenticated network attacker to hijack a victim's local ZITADEL account. The handler confirms that the local user's email is verified but fails to require the external IdP to also confirm ownership of that same email address before completing the link - meaning an attacker who registers a victim's email on a permissive external IdP (one that does not enforce email verification) can silently gain full access to the victim's ZITADEL account. No public exploit has been identified at time of analysis; the fix is available in the vendor-released patch v4.15.3.
Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. No public exploit identified at time of analysis; not listed in CISA KEV.
Insufficient JWT expiration enforcement in ZITADEL's external JWT Identity Provider integration allows tokens lacking the `exp` claim to be treated as indefinitely valid, bypassing intended session lifetime controls. Versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 are affected, with the flaw residing in `internal/idp/providers/jwt/session.go`. An attacker who can obtain or craft a JWT from a configured trusted external issuer that omits the `exp` claim can maintain persistent authenticated access without re-authentication. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. An attacker holding a previously issued JWT from a trusted external IdP - specifically one lacking the iat claim - can reuse that token indefinitely, bypassing intended session expiry controls and maintaining unauthorized access. No public exploit identified at time of analysis.
ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by insufficient session expiration (CVSS 7.4).
ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by authorization bypass through user-controlled key (CVSS 7.7).
ZITADEL is an open source identity management platform. From 2.68.0 to versions up to 3.4.8 contains a security vulnerability (CVSS 7.5).
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the Forwarded and X-Forwarded-Host headers used in password reset links. An attacker can craft a malicious request to redirect users to an attacker-controlled domain when they click password reset confirmation links, enabling credential harvesting or phishing attacks. The vulnerability affects all deployments using affected versions and has been patched in version 4.7.1.
Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.
Server-Side Request Forgery in Zitadel's Action V2 webhook feature allows unauthenticated attackers to probe internal network services and gather information about internal infrastructure by crafting malicious webhook target URLs pointing to localhost or private IP addresses. The vulnerability affects Zitadel versions 4.0.0 through 4.11.0, with schema validation providing limited mitigation. No patch is currently available.
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.
Zitadel versions prior to 4.9.1 and 3.4.6 contain a user enumeration vulnerability in their login interfaces that allows unauthenticated attackers to discover valid user accounts by testing usernames and user IDs. An attacker can leverage this information disclosure to build lists of existing users for targeted attacks against the identity management platform. The vulnerability has been patched in versions 4.9.1 and 3.4.6.
ZITADEL is an open source identity management platform. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required.
Zitadel is open-source identity infrastructure software. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity.
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zitadel is an open source identity management platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Zitadel is an open source identity management platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Zitadel is an open source identity management platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Zitadel is an open source identity management system. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Zitadel is an open source identity management system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
ZITADEL is an open-source identity infrastructure tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Zitadel is an open source identity management system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Zitadel is an open source identity management system. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.
ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ZITADEL provides identity infrastructure. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
ZITADEL is an identity infrastructure management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
ZITADEL provides identity infrastructure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ZITADEL is a combination of Auth0 and Keycloak. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER`. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 token to exchange it for elevated permissions at a different application, because the token-exchange endpoint fails to bind the subject token to the requesting client and does not constrain requested scopes to the original token's scopes. Any authenticated principal with a valid low-scope token can escalate laterally across relying applications; no public exploit is identified at time of analysis and it is not listed in CISA KEV. A vendor patch (4.15.3) and fixing commit are available.
Account takeover in ZITADEL's external identity provider auto-linking logic prior to version 4.15.3 allows an unauthenticated network attacker to hijack a victim's local ZITADEL account. The handler confirms that the local user's email is verified but fails to require the external IdP to also confirm ownership of that same email address before completing the link - meaning an attacker who registers a victim's email on a permissive external IdP (one that does not enforce email verification) can silently gain full access to the victim's ZITADEL account. No public exploit has been identified at time of analysis; the fix is available in the vendor-released patch v4.15.3.
Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. No public exploit identified at time of analysis; not listed in CISA KEV.
Insufficient JWT expiration enforcement in ZITADEL's external JWT Identity Provider integration allows tokens lacking the `exp` claim to be treated as indefinitely valid, bypassing intended session lifetime controls. Versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 are affected, with the flaw residing in `internal/idp/providers/jwt/session.go`. An attacker who can obtain or craft a JWT from a configured trusted external issuer that omits the `exp` claim can maintain persistent authenticated access without re-authentication. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. An attacker holding a previously issued JWT from a trusted external IdP - specifically one lacking the iat claim - can reuse that token indefinitely, bypassing intended session expiry controls and maintaining unauthorized access. No public exploit identified at time of analysis.
ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by insufficient session expiration (CVSS 7.4).
ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by authorization bypass through user-controlled key (CVSS 7.7).
ZITADEL is an open source identity management platform. From 2.68.0 to versions up to 3.4.8 contains a security vulnerability (CVSS 7.5).
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the Forwarded and X-Forwarded-Host headers used in password reset links. An attacker can craft a malicious request to redirect users to an attacker-controlled domain when they click password reset confirmation links, enabling credential harvesting or phishing attacks. The vulnerability affects all deployments using affected versions and has been patched in version 4.7.1.
Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.
Server-Side Request Forgery in Zitadel's Action V2 webhook feature allows unauthenticated attackers to probe internal network services and gather information about internal infrastructure by crafting malicious webhook target URLs pointing to localhost or private IP addresses. The vulnerability affects Zitadel versions 4.0.0 through 4.11.0, with schema validation providing limited mitigation. No patch is currently available.
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.
Zitadel versions prior to 4.9.1 and 3.4.6 contain a user enumeration vulnerability in their login interfaces that allows unauthenticated attackers to discover valid user accounts by testing usernames and user IDs. An attacker can leverage this information disclosure to build lists of existing users for targeted attacks against the identity management platform. The vulnerability has been patched in versions 4.9.1 and 3.4.6.
ZITADEL is an open source identity management platform. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required.
Zitadel is open-source identity infrastructure software. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity.
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zitadel is an open source identity management platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Zitadel is an open source identity management platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Zitadel is an open source identity management platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Zitadel is an open source identity management system. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Zitadel is an open source identity management system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
ZITADEL is an open-source identity infrastructure tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Zitadel is an open source identity management system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Zitadel is an open source identity management system. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.
ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ZITADEL provides identity infrastructure. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
ZITADEL is an identity infrastructure management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
ZITADEL provides identity infrastructure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ZITADEL is a combination of Auth0 and Keycloak. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER`. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.