CVE-2026-32130
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authentication and permission checks in ZITADEL's SCIM API by using URL-encoded path values. Attackers can retrieve sensitive user information including names, email addresses, phone numbers, addresses, external IDs, and roles. Organizations running ZITADEL versions 2.68.0 to before 3.4.8 or 4.12.2 are affected.
💻 Affected Systems
- ZITADEL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all user PII and organizational data stored in ZITADEL to unauthenticated attackers, potentially leading to identity theft, targeted phishing campaigns, and compliance violations.
Likely Case
Unauthenticated attackers exfiltrate sensitive user information including email addresses, phone numbers, and roles, enabling reconnaissance for further attacks or social engineering.
If Mitigated
Limited exposure of non-sensitive metadata if proper network segmentation and API gateway controls are in place.
🎯 Exploit Status
Exploitation requires sending specially crafted URL-encoded requests to SCIM API endpoints. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.8 or 4.12.2
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-83pv-4xxp-rm2x
Restart Required: Yes
Instructions:
1. Backup your ZITADEL configuration and data. 2. Upgrade to ZITADEL version 3.4.8 if on v3.x, or 4.12.2 if on v4.x. 3. Restart the ZITADEL service. 4. Verify the fix by testing SCIM API endpoints.
🔧 Temporary Workarounds
Disable SCIM API
allTemporarily disable the SCIM API if not required for operations
Configure ZITADEL to disable SCIM API endpoints in your deployment configuration
API Gateway Authentication
allEnforce authentication at API gateway level before requests reach ZITADEL
Configure your API gateway (nginx, Kong, etc.) to require authentication for /scim/v2/* endpoints
🧯 If You Can't Patch
- Implement network-level controls to restrict access to SCIM API endpoints (port 8080 typically) to trusted IP addresses only
- Deploy a Web Application Firewall (WAF) with rules to block URL-encoded path manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Test by sending a URL-encoded request to SCIM API endpoints without authentication. If you receive user data, the system is vulnerable.Check Version:
zitadel version or check ZITADEL admin interface for version informationVerify Fix Applied:
After patching, attempt the same URL-encoded request without authentication. Should receive 401 Unauthorized or proper error response.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /scim/v2/* endpoints with URL-encoded characters
- Successful SCIM GET requests from unauthenticated sources
Network Indicators:
- Unusual traffic patterns to SCIM API endpoints
- Requests with %2F or other URL encoding in paths
SIEM Query:
source="zitadel" AND (uri_path="/scim/v2/*" OR uri_path CONTAINS "%2F") AND http_status=200 AND auth_status="unauthenticated"