Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the UpdateHumanUser API. An attacker can bypass proper verification of email or phone by directly setting the verification flag without completing the intended verification process. This may allow unauthorized...

GO-2026-4319 Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel

Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

GO-2025-4227 Zitadel Discloses the Total Number of Instance Users in github.com/zitadel/zitadel

Zitadel Discloses the Total Number of Instance Users in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners,...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration through the Session API. An attacker can authenticate on behalf of the user by repeatedly using idp intents to retrieve the id and token from the application's URI. Remediation Upgrade...