Lucene search
K

5 matches found

OSV
OSV
added 2026/02/27 9:22 p.m.5 views

GHSA-6MQ3-XMGP-PJM5 ZITADEL's truncated opaque tokens are still valid

Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different...

4.3CVSS5.8AI score0.00142EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2025/05/23 10:19 a.m.12 views

CVE-2024-32868

ZITADEL provides users the possibility to use Time-based One-Time-Password TOTP and One-Time-Password OTP through SMS and Email. While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism fo...

8.1CVSS6.9AI score0.00456EPSS
Exploits0References1
OSV
OSV
added 2024/10/25 2:22 p.m.5 views

CVE-2024-49757 Zitadel User Registration Bypass Vulnerability

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the...

7.5CVSS7.6AI score0.02572EPSS
Exploits0References10
OSV
OSV
added 2024/09/19 11:10 p.m.9 views

CVE-2024-47000 Service Users Deactivation not Working in Zitadel

Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions...

8.1CVSS6.8AI score0.00411EPSS
Exploits0References3
OSV
OSV
added 2024/04/25 11:53 p.m.13 views

CVE-2024-32868 ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass

ZITADEL provides users the possibility to use Time-based One-Time-Password TOTP and One-Time-Password OTP through SMS and Email. While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism fo...

6.5CVSS7.8AI score0.00456EPSS
Exploits0References4
Rows per page
Query Builder