CVE-2026-29067
📋 TL;DR
This vulnerability allows attackers to hijack password reset links by manipulating HTTP headers. Attackers can send malicious Forwarded or X-Forwarded-Host headers to make ZITADEL generate password reset links pointing to attacker-controlled domains. All ZITADEL instances running affected versions with login V2 enabled are vulnerable.
💻 Affected Systems
- ZITADEL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can reset any user's password, gain unauthorized access to accounts, and potentially compromise administrative accounts to take over the entire identity management system.
Likely Case
Attackers target specific users to reset their passwords and gain access to their accounts, leading to data breaches and unauthorized actions using compromised credentials.
If Mitigated
With proper header validation and network controls, attackers cannot reach the vulnerable endpoint or inject malicious headers, preventing exploitation.
🎯 Exploit Status
Exploitation requires sending HTTP requests with malicious headers to trigger password reset emails, which is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.1
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5
Restart Required: Yes
Instructions:
1. Backup your ZITADEL configuration and data. 2. Update ZITADEL to version 4.7.1 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the ZITADEL service. 4. Verify the update by checking the version.
🔧 Temporary Workarounds
Disable login V2
allTemporarily disable the vulnerable login V2 feature to prevent exploitation.
Set LOGIN_V2_ENABLED=false in ZITADEL configuration
Filter malicious headers at proxy
linuxConfigure reverse proxies or WAFs to strip or validate Forwarded and X-Forwarded-Host headers.
nginx: proxy_set_header X-Forwarded-Host '';
Apache: RequestHeader unset X-Forwarded-Host
🧯 If You Can't Patch
- Implement strict network controls to block external access to ZITADEL's password reset endpoints.
- Enable multi-factor authentication for all accounts to reduce impact if passwords are compromised.
🔍 How to Verify
Check if Vulnerable:
Check if ZITADEL version is between 4.0.0-rc.1 and 4.7.0 and login V2 is enabled in configuration.Check Version:
docker exec zitadel zitadel version or check ZITADEL admin interface version infoVerify Fix Applied:
Confirm ZITADEL version is 4.7.1 or later and test password reset functionality with malicious headers to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual password reset requests from unexpected IPs
- Log entries showing password reset emails sent to non-standard domains
Network Indicators:
- HTTP requests to password reset endpoints containing Forwarded or X-Forwarded-Host headers with suspicious domains
SIEM Query:
source="zitadel" AND (event="password_reset" OR endpoint="/v2/auth/password/reset") AND (header="Forwarded" OR header="X-Forwarded-Host")