CVE-2026-29193
📋 TL;DR
This vulnerability in ZITADEL's login interface allows users to bypass configured security policies and self-register accounts or use password authentication even when these options are disabled for their organization. Organizations using ZITADEL versions 4.0.0 through 4.12.0 are affected, potentially leading to unauthorized account creation and access.
💻 Affected Systems
- ZITADEL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create unauthorized administrator accounts, gain full control of the identity management system, and compromise all managed identities and authentication flows.
Likely Case
Unauthorized users register accounts in organizations where self-registration is disabled, potentially accessing restricted resources or services.
If Mitigated
Unauthorized account creation attempts are logged and detected before significant damage occurs.
🎯 Exploit Status
Exploitation requires access to the login interface but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.12.1
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8
Restart Required: Yes
Instructions:
1. Backup your ZITADEL instance and configuration. 2. Update to version 4.12.1 using your deployment method (Docker, Kubernetes, etc.). 3. Restart the ZITADEL service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Login V2 UI
allTemporarily disable the affected login interface until patching is possible.
# Configure ZITADEL to use Login V1 instead of V2
# Modify configuration to set login UI version to v1
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to ZITADEL login endpoints.
- Enable detailed logging and monitoring for unauthorized registration attempts.
🔍 How to Verify
Check if Vulnerable:
Check ZITADEL version via admin interface or API. If version is between 4.0.0 and 4.12.0 inclusive, the system is vulnerable.Check Version:
curl -s http://zitadel-instance:8080/api/v1/version | grep versionVerify Fix Applied:
After updating, verify version is 4.12.1 or higher and test that disabled registration/password options are properly enforced.📡 Detection & Monitoring
Log Indicators:
- Unexpected account creation events
- Login attempts using password when password auth is disabled
- Registration attempts when self-registration is disabled
Network Indicators:
- Unusual traffic patterns to login endpoints
- Multiple registration requests from single IP
SIEM Query:
source="zitadel" AND (event="user.created" OR event="user.login") AND status="success" WHERE policy_disabled=true