Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

zitadel — Vulnerabilities & Security Advisories 47

All 47 CVE vulnerabilities found in zitadel, with AI-generated Chinese analysis, references, and POCs.

Vendor: zitadel

CVE IDTitleCVSSSeverityPublished
CVE-2026-33132 ZITADEL is missing enforcement of organization scopes CWE-863 5.3 Medium2026-03-20
CVE-2026-32132 ZITADEL: Reactivation of Expired Passkey Registration Codes CWE-613 7.4 High2026-03-11
CVE-2026-32131 ZITADEL Cross-Tenant Information Disclosure in Management API CWE-639 7.7 High2026-03-11
CVE-2026-32130 ZITADEL SCIM Authentication Bypass via URL Encoding CWE-288 7.5 High2026-03-11
CVE-2026-29067 ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login CWE-601 8.1 High2026-03-07
CVE-2026-29193 ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2 CWE-287 8.2 High2026-03-07
CVE-2026-29192 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover CWE-79 7.7 High2026-03-07
CVE-2026-29191 ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint CWE-79 9.3 Critical2026-03-07
CVE-2026-27946 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API CWE-862 4.3AIMediumAI2026-02-26
CVE-2026-27945 ZITADEL has potential SSRF via Actions CWE-918 6.5AIMediumAI2026-02-26
CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid CWE-302 4.3 Medium2026-02-26
CVE-2026-23511 ZITADEL has a user enumeration vulnerability in Login UIs CWE-204 5.3 Medium2026-01-15
CVE-2025-67717 Zitadel Discloses the Total Number of Instance Users CWE-497 4.3AIMediumAI2025-12-11
CVE-2025-67495 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login CWE-79 8.0 High2025-12-09
CVE-2025-67494 ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login CWE-918 9.3 Critical2025-12-09
CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP CWE-287 3.8 -2025-11-13
CVE-2025-64431 IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering CWE-639 6.5 -2025-11-07
CVE-2025-64103 Zitadel Bypass Second Authentication Factor CWE-308 9.1AICriticalAI2025-10-29
CVE-2025-64102 Zitadel allows brute-forcing authentication factors CWE-307 9.8AICriticalAI2025-10-29
CVE-2025-64101 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection CWE-601 8.1 High2025-10-29
CVE-2025-57770 ZITADEL user enumeration vulnerability in login UI CWE-203 5.3 Medium2025-08-22
CVE-2025-53895 ZITADEL has broken authN and authZ in session API and resulting session tokens CWE-863 8.1AIHighAI2025-07-15
CVE-2025-48936 ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection CWE-601 8.1 High2025-05-30
CVE-2025-46815 ZITADEL Allows IdP Intent Token Reuse CWE-613 8.0 High2025-05-06
CVE-2025-31124 Zitadel allows User Enumeration by loginname attribute normalization CWE-203 5.3 Medium2025-03-31
CVE-2025-31123 Zitadel Expired JWT Keys Usable for Authorization Grants CWE-324 8.7 High2025-03-31
CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations CWE-639 9.0 Critical2025-03-04
CVE-2024-49757 Zitadel User Registration Bypass Vulnerability CWE-287 7.5 High2024-10-25
CVE-2024-49753 Denied Host Validation Bypass in Zitadel Actions CWE-20 5.9 Medium2024-10-25
CVE-2024-46999 User Grant Deactivation not Working in Zitadel CWE-269 7.3 High2024-09-19

All 47 known CVE vulnerabilities affecting zitadel with full Chinese analysis, references, and POCs where available.