Zitadel Privilege Escalation: Self-Verification Bypass via UpdateHumanUser API (CVE-2026-27946)

Key Information Vulnerability Name: Users Can Self-Verify Email/Phone via UpdateHumanUser API Severity: High Vulnerability Description Summary: A vulnerability exists in Zitadel's self-service functionality that allows users to mark their own email addresses and phone numbers as verified without undergoing the actual verification process. Impact: - Zitadel provides an API for user management, which allows users to self-manage their data, including updating email addresses and phone numbers. - Due to incorrect permission checks, the API allows setting the verified flag for a user's own email and phone number. This enables users to claim ownership of emails or phone numbers they do not control and potentially bypass email-based security policies. Affected Versions Affected Versions: - 4.x: 4.0.0 to 4.11.0 (including RC versions) - 3.x: 3.0.0 to 3.4.6 (including RC versions) - 2.x: 2.43.0 to 2.71.19 Fixed Versions: - 4.11.1 - 3.4.7 Remediation Patch Versions: - 4.x: Upgrade to >= 4.11.1 - 3.x: Upgrade to >= 3.4.7 - 2.x: Upgrade to >= 3.4.7 Workaround: It is recommended to upgrade to a patched version. If upgrading is not possible, operations using the v2 API can be employed to prevent setting the verification flag for one's own user. Additional Information CVSS v4 Base Metrics: - Severity: 8.2/10 - Exploit Complexity: Low - Integrity Impact: High CVE ID: CVE-2026-27946 Contact Information: security@zitadel.com Affected Packages Package Name: ZITADEL Affected Versions: - 4.0.0 to 4.11.0 (including RC versions) - 3.0.0 to 3.4.6 (including RC versions) - 2.43.0 to 2.71.19 Fixed Versions: - 4.11.1 - 3.4.7

Goal Reached Thanks to every supporter — we hit 100%!

Zitadel Privilege Escalation: Self-Verification Bypass via UpdateHumanUser API (CVE-2026-27946)

More from this source