Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

zitadel — Vulnerabilities & Security Advisories 47

Browse all 47 CVE security advisories affecting zitadel. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by zitadel:zitadel
CVE IDTitleCVSSSeverityPublished
CVE-2026-33132 ZITADEL is missing enforcement of organization scopes — zitadelCWE-863 5.3 Medium2026-03-20
CVE-2026-32132 ZITADEL: Reactivation of Expired Passkey Registration Codes — zitadelCWE-613 7.4 High2026-03-11
CVE-2026-32131 ZITADEL Cross-Tenant Information Disclosure in Management API — zitadelCWE-639 7.7 High2026-03-11
CVE-2026-32130 ZITADEL SCIM Authentication Bypass via URL Encoding — zitadelCWE-288 7.5 High2026-03-11
CVE-2026-29067 ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login — zitadelCWE-601 8.1 High2026-03-07
CVE-2026-29193 ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2 — zitadelCWE-287 8.2 High2026-03-07
CVE-2026-29192 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover — zitadelCWE-79 7.7 High2026-03-07
CVE-2026-29191 ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint — zitadelCWE-79 9.3 Critical2026-03-07
CVE-2026-27946 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API — zitadelCWE-862 4.3AIMediumAI2026-02-26
CVE-2026-27945 ZITADEL has potential SSRF via Actions — zitadelCWE-918 6.5AIMediumAI2026-02-26
CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid — zitadelCWE-302 4.3 Medium2026-02-26
CVE-2026-23511 ZITADEL has a user enumeration vulnerability in Login UIs — zitadelCWE-204 5.3 Medium2026-01-15
CVE-2025-67717 Zitadel Discloses the Total Number of Instance Users — zitadelCWE-497 4.3AIMediumAI2025-12-11
CVE-2025-67495 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login — zitadelCWE-79 8.0 High2025-12-09
CVE-2025-67494 ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login — zitadelCWE-918 9.3 Critical2025-12-09
CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP — zitadelCWE-287 3.8 -2025-11-13
CVE-2025-64431 IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering — zitadelCWE-639 6.5 -2025-11-07
CVE-2025-64103 Zitadel Bypass Second Authentication Factor — zitadelCWE-308 9.1AICriticalAI2025-10-29
CVE-2025-64102 Zitadel allows brute-forcing authentication factors — zitadelCWE-307 9.8AICriticalAI2025-10-29
CVE-2025-64101 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection — zitadelCWE-601 8.1 High2025-10-29
CVE-2025-57770 ZITADEL user enumeration vulnerability in login UI — zitadelCWE-203 5.3 Medium2025-08-22
CVE-2025-53895 ZITADEL has broken authN and authZ in session API and resulting session tokens — zitadelCWE-863 8.1AIHighAI2025-07-15
CVE-2025-48936 ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection — zitadelCWE-601 8.1 High2025-05-30
CVE-2025-46815 ZITADEL Allows IdP Intent Token Reuse — zitadelCWE-613 8.0 High2025-05-06
CVE-2025-31124 Zitadel allows User Enumeration by loginname attribute normalization — zitadelCWE-203 5.3 Medium2025-03-31
CVE-2025-31123 Zitadel Expired JWT Keys Usable for Authorization Grants — zitadelCWE-324 8.7 High2025-03-31
CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations — zitadelCWE-639 9.0 Critical2025-03-04
CVE-2024-49757 Zitadel User Registration Bypass Vulnerability — zitadelCWE-287 7.5 High2024-10-25
CVE-2024-49753 Denied Host Validation Bypass in Zitadel Actions — zitadelCWE-20 5.9 Medium2024-10-25
CVE-2024-46999 User Grant Deactivation not Working in Zitadel — zitadelCWE-269 7.3 High2024-09-19

This page lists every published CVE security advisory associated with zitadel. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.