Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

zitadel — Vulnerabilities & Security Advisories 47

Browse all 47 CVE security advisories affecting zitadel. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Zitadel is an open-source identity and access management platform designed to provide authentication, authorization, and user lifecycle management for modern applications. Its architecture supports multi-tenant environments, enabling organizations to manage user identities securely across diverse services. Historically, the platform has been associated with forty-seven recorded Common Vulnerabilities and Exposures (CVEs), reflecting a significant attack surface. These vulnerabilities predominantly involve privilege escalation, cross-site scripting, and improper access control mechanisms, allowing attackers to bypass authentication or access unauthorized resources. While no massive, widely publicized data breaches have been definitively attributed to these specific flaws, the high volume of CVEs indicates persistent security challenges in its codebase. Developers are urged to apply patches promptly, as the recurring nature of these issues suggests systemic weaknesses in input validation and permission handling that require rigorous maintenance and continuous security auditing to mitigate risks effectively.

Top products by zitadel: zitadel
CVE IDTitleCVSSSeverityPublished
CVE-2026-33132 ZITADEL is missing enforcement of organization scopes — zitadelCWE-863 5.3 Medium2026-03-20
CVE-2026-32132 ZITADEL: Reactivation of Expired Passkey Registration Codes — zitadelCWE-613 7.4 High2026-03-11
CVE-2026-32131 ZITADEL Cross-Tenant Information Disclosure in Management API — zitadelCWE-639 7.7 High2026-03-11
CVE-2026-32130 ZITADEL SCIM Authentication Bypass via URL Encoding — zitadelCWE-288 7.5 High2026-03-11
CVE-2026-29067 ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login — zitadelCWE-601 8.1 High2026-03-07
CVE-2026-29193 ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2 — zitadelCWE-287 8.2 High2026-03-07
CVE-2026-29192 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover — zitadelCWE-79 7.7 High2026-03-07
CVE-2026-29191 ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint — zitadelCWE-79 9.3 Critical2026-03-07
CVE-2026-27946 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API — zitadelCWE-862 4.3AIMediumAI2026-02-26
CVE-2026-27945 ZITADEL has potential SSRF via Actions — zitadelCWE-918 6.5AIMediumAI2026-02-26
CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid — zitadelCWE-302 4.3 Medium2026-02-26
CVE-2026-23511 ZITADEL has a user enumeration vulnerability in Login UIs — zitadelCWE-204 5.3 Medium2026-01-15
CVE-2025-67717 Zitadel Discloses the Total Number of Instance Users — zitadelCWE-497 4.3AIMediumAI2025-12-11
CVE-2025-67495 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login — zitadelCWE-79 8.0 High2025-12-09
CVE-2025-67494 ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login — zitadelCWE-918 9.3 Critical2025-12-09
CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP — zitadelCWE-287 3.8 -2025-11-13
CVE-2025-64431 IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering — zitadelCWE-639 6.5 -2025-11-07
CVE-2025-64103 Zitadel Bypass Second Authentication Factor — zitadelCWE-308 9.1AICriticalAI2025-10-29
CVE-2025-64102 Zitadel allows brute-forcing authentication factors — zitadelCWE-307 9.8AICriticalAI2025-10-29
CVE-2025-64101 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection — zitadelCWE-601 8.1 High2025-10-29
CVE-2025-57770 ZITADEL user enumeration vulnerability in login UI — zitadelCWE-203 5.3 Medium2025-08-22
CVE-2025-53895 ZITADEL has broken authN and authZ in session API and resulting session tokens — zitadelCWE-863 8.1AIHighAI2025-07-15
CVE-2025-48936 ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection — zitadelCWE-601 8.1 High2025-05-30
CVE-2025-46815 ZITADEL Allows IdP Intent Token Reuse — zitadelCWE-613 8.0 High2025-05-06
CVE-2025-31124 Zitadel allows User Enumeration by loginname attribute normalization — zitadelCWE-203 5.3 Medium2025-03-31
CVE-2025-31123 Zitadel Expired JWT Keys Usable for Authorization Grants — zitadelCWE-324 8.7 High2025-03-31
CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations — zitadelCWE-639 9.0 Critical2025-03-04
CVE-2024-49757 Zitadel User Registration Bypass Vulnerability — zitadelCWE-287 7.5 High2024-10-25
CVE-2024-49753 Denied Host Validation Bypass in Zitadel Actions — zitadelCWE-20 5.9 Medium2024-10-25
CVE-2024-46999 User Grant Deactivation not Working in Zitadel — zitadelCWE-269 7.3 High2024-09-19

This page lists every published CVE security advisory associated with zitadel. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.