1357 matches found
Zitadel May Bypass Second Authentication Factor
Summary A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified. Impact Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens...
EUVD-2025-36696
Zitadel May Bypass Second Authentication Factor...
EUVD-2025-36698
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection...
GHSA-MWMH-7PX9-4C23 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Impact A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an...
Use of Single-factor Authentication
Overview Affected versions of this package are vulnerable to Use of Single-factor Authentication due to improper session validation in the authentication process. An attacker can gain unauthorized access to accounts protected by multi-factor authentication by submitting only a single authenticati...
Use of Single-factor Authentication
Overview Affected versions of this package are vulnerable to Use of Single-factor Authentication due to improper session validation in the authentication process. An attacker can gain unauthorized access to accounts protected by multi-factor authentication by submitting only a single authenticati...
Use of Single-factor Authentication
Overview Affected versions of this package are vulnerable to Use of Single-factor Authentication due to improper session validation in the authentication process. An attacker can gain unauthorized access to accounts protected by multi-factor authentication by submitting only a single authenticati...
CVE-2025-64103
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as...
CVE-2025-64101
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
CVE-2025-64103 Zitadel Bypass Second Authentication Factor
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as...
CVE-2025-64101 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...
CVE-2025-64101 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...
ZITADEL 安全漏洞
ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the container and serverless era from the Swiss ZITADEL open source. A security vulnerability exists in ZITADEL versions 2.53.6, 2.54.3, and 2.55.0 that stems from not enforcing multi-factor...
PT-2025-44343
Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 4.6.0 Zitadel versions 2.53.6 through 2.55.0 Zitadel versions prior to 3.4.3 Zitadel versions prior to 2.71.18 Description A flaw exists in Zitadel where multi-factor authentication MFA was not consistently enforced...