GHSA-25RW-G6FF-FMG8 ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication

Summary A vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. Impact Zitadel enables administrators to configure their...

CVE-2025-64103

Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as...

EUVD-2025-36696

Zitadel May Bypass Second Authentication Factor...

Zitadel May Bypass Second Authentication Factor

Summary A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified. Impact Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens...