SUSE CVE-2026-27946

ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7...

GO-2026-4574 ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel

ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest...

CVE-2026-29191

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0...

PT-2026-23106

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.12.0 Description ZITADEL, an open source identity management platform, had a flaw in its login V2 UI. This allowed users to circumvent login behavior and security policies, enabling self-registration of new...

CVE-2026-27946

ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7...

GO-2025-4210 ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel

ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabili...

GO-2025-4213 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel

ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login

Summary Zitadel is vulnerable to an unauthenticated, full-read SSRF vulnerability. An unauthenticated remote attacker can force Zitadel into making HTTP requests to arbitrary domains, including internal addresses. The server then returns the upstream response to the attacker, enabling data...

GHSA-J4G7-V4M4-77PX ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP

Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. Impact This vulnerability stems from the...

EUVD-2025-36696

Zitadel May Bypass Second Authentication Factor...

CVE-2025-64102

Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout...

PT-2025-44342

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 4.6.0 Zitadel versions prior to 3.4.3 Zitadel versions prior to 2.71.18 Description Zitadel, an open-source identity infrastructure software, is susceptible to online brute-force attacks targeting OTP, TOTP, and...

ZITADEL 授权问题漏洞

ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the container and serverless era from the Swiss ZITADEL open source. An authorization issue vulnerability exists in ZITADEL versions prior to 4.6.0, prior to 3.4.3, and prior to 2.71.18, which...

ZITADEL 安全漏洞

ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the age of containers and serverless, open sourced by ZITADEL in Switzerland. A security vulnerability exists in Zitadel that stems from the fact that Zitadel discloses internal database...

PT-2023-29921 · Zitadel · Zitadel

Name of the Vulnerable Software and Affected Versions: ZITADEL versions prior to 2.38.2 ZITADEL versions prior to 2.39.2 Description: ZITADEL is an identity infrastructure management system where users can upload their own avatar image using various image types, including SVG. SVG can include...