Login Sign Up

CVE-2026-23511

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2026-23511 is a user enumeration vulnerability in ZITADEL identity management platform that allows unauthenticated attackers to confirm valid user accounts by testing usernames and userIDs. This affects all ZITADEL instances running versions before 4.9.1 and 3.4.6. The vulnerability exposes user account existence information which can facilitate targeted attacks.

💻 Affected Systems

Products:
  • ZITADEL
Versions: All versions before 4.9.1 and 3.4.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all ZITADEL deployments with login interfaces exposed.

📦 What is this software?

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers build comprehensive user directories enabling targeted phishing, credential stuffing, or social engineering attacks against known valid accounts.

🟠

Likely Case

Attackers enumerate valid user accounts to identify targets for credential stuffing or brute force attacks, potentially leading to account compromise.

🟢

If Mitigated

Limited information disclosure with no direct access to passwords or sensitive data, but still reveals account existence.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple enumeration attack requiring only HTTP requests to login endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.1 or 3.4.6

Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r

Restart Required: Yes

Instructions:

1. Backup your ZITADEL instance. 2. Update to ZITADEL version 4.9.1 (for v4) or 3.4.6 (for v3). 3. Restart the ZITADEL service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting on login endpoints to slow down enumeration attempts.

# Configure rate limiting in your reverse proxy or application firewall

WAF Rules

all

Deploy WAF rules to detect and block user enumeration patterns.

# Add WAF rules for login endpoint abuse detection

🧯 If You Can't Patch

  • Implement network-level controls to restrict access to login interfaces
  • Deploy monitoring and alerting for suspicious login attempt patterns

🔍 How to Verify

Check if Vulnerable:

Test login endpoints with valid and invalid usernames - if response times or error messages differ, the system is vulnerable.

Check Version:

zitadel version

Verify Fix Applied:

After patching, test that both valid and invalid usernames return identical response patterns.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts with different usernames from same IP
  • Unusual patterns of login requests

Network Indicators:

  • High volume of requests to login endpoints
  • Sequential username patterns in requests

SIEM Query:

source="zitadel" AND (event="login_failed" OR event="login_attempt") | stats count by src_ip, username | where count > threshold

📊 Metadata

CVE ID: CVE-2026-23511
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-204
EPSS Score: 0.05% exploit probability (16.5th percentile)
Published: January 15, 2026
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23511, you might also want to check these:

CVE-2025-46390 7.5

CVE-2025-46390 is an observable response discrepancy vulnerability (CWE-204) that allows attackers t...

Same vulnerability type (CWE-204)
CVE-2021-20049 7.5

CVE-2021-20049 is a username enumeration vulnerability in SonicWall SMA100's password change API tha...

Same vulnerability type (CWE-204)
CVE-2025-66307 6.5

This vulnerability in Grav's admin plugin allows attackers to enumerate valid usernames and discover...

Same vulnerability type (CWE-204)