Description

ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.

Related CPE's

a

zitadel

zitadel

3

References

https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2

Patch

https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d

Patch

https://github.com/zitadel/zitadel/releases/tag/v3.4.6

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v4.9.1

Release Notes

https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-204

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-15T20:16:05.167Z

5 days ago

Last modified

2026-01-20T16:44:43.437Z

12 hours ago