threat
engine
.sh
Back
·
··:··
Home
/
Product
/
zitadel
Product
zitadel
47 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-44671
>= 2.71.11 and < 3.4.10
ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered i
7.5
HIGH
CVE-2026-33132
< 3.4.9
ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass o
5.3
MEDIUM
CVE-2026-32132
< 3.4.8
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's p
7.4
HIGH
CVE-2026-32131
< 3.4.8
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has
7.7
HIGH
CVE-2026-32130
>= 2.68.0 and < 3.4.8
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cros
7.5
HIGH
CVE-2026-29193
>= 4.0.0 and < 4.12.1
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI all
8.2
HIGH
CVE-2026-29192
>= 4.0.0 and < 4.12.0
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interf
7.7
HIGH
CVE-2026-29191
>= 4.0.0 and < 4.12.0
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interf
9.3
CRITICAL
CVE-2026-29067
>= 4.0.0 and < 4.7.1
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITA
8.1
HIGH
CVE-2026-27946
< 3.4.7
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-mana
6.5
MEDIUM
CVE-2026-27945
>= 2.59.0 and <= 3.4.6
ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 an
6.5
MEDIUM
CVE-2026-27840
>= 2.31.0 and <= 2.71.19
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque
4.3
MEDIUM
CVE-2026-23511
>= 2.0.0 and <= 2.71.19
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discov
5.3
MEDIUM
CVE-2025-67717
>= 2.44.0 and <= 2.71.19
ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the to
4.3
MEDIUM
CVE-2025-67495
>= 4.0.0 and < 4.7.1
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through
8.0
HIGH
CVE-2025-67494
>= 4.0.0 and < 4.7.1
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read S
9.3
CRITICAL
CVE-2025-64717
>= 2.50.0 and < 2.71.19
ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6
9.8
CRITICAL
CVE-2025-64103
>= 2.53.6 and <= 2.53.9
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either en
9.8
CRITICAL
CVE-2025-64102
< 2.71.18
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online bru
9.8
CRITICAL
CVE-2025-64101
< 2.71.18
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in Z
8.1
HIGH
CVE-2025-57770
< 2.71.15
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0
5.3
MEDIUM
CVE-2025-53895
>= 2.53.0 and < 2.70.14
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13,
8.8
HIGH
CVE-2025-48936
>= 2.0.0 and < 2.70.12
Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability
8.1
HIGH
CVE-2025-46815
< 2.70.10
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API
8.0
HIGH
CVE-2025-31124
< 2.63.9
Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown user
5.3
MEDIUM
CVE-2025-31123
>= 2.62.0 and < 2.63.9
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens
8.7
HIGH
CVE-2025-27507
< 2.63.8
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Ad
9.0
CRITICAL
CVE-2024-49757
< 2.58.7
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a mis
7.5
HIGH
CVE-2024-49753
< 2.58.7
Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.5
5.9
MEDIUM
CVE-2024-47060
< 2.54.10
Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects
4.3
MEDIUM
CVE-2024-47000
< 2.54.10
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with
8.1
HIGH
CVE-2024-46999
< 2.54.10
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deact
7.3
HIGH
CVE-2024-41953
>= 2.52.0 and < 2.52.3
Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernam
4.3
MEDIUM
CVE-2024-41952
>= 2.53.0 and < 2.53.9
Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernam
5.3
MEDIUM
CVE-2024-39683
>= 2.53.0 and < 2.53.8
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the curren
5.7
MEDIUM
CVE-2024-32967
< 2.45.7
Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information in
5.3
MEDIUM
CVE-2024-32868
< 2.50.0
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Emai
6.5
MEDIUM
CVE-2024-29892
< 2.42.17
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an
6.1
MEDIUM
CVE-2024-29891
< 2.42.17
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upl
8.7
HIGH
CVE-2024-28855
< 2.41.15
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `t
8.1
HIGH
CVE-2024-28197
< 2.44.3
Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sess
7.5
HIGH
CVE-2023-49097
>= 2.39.0 and < 2.39.9
ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host head
8.1
HIGH
CVE-2023-47111
< 2.38.3
ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a
Lockout Policy
with a maxi
7.3
HIGH
CVE-2023-46238
< 2.38.2
ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types
8.7
HIGH
CVE-2023-44399
<= 2.37.2
ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignori
5.3
MEDIUM
CVE-2023-22492
>= 2.0.0 and < 2.16.4
ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new acc
5.9
MEDIUM
CVE-2022-36051
>= 1.42.0 and < 1.87.1
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.
Actions
, introduced in ZITADEL
1.42.0
on the API and
8.7
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin