CVE-2026-32132
📋 TL;DR
ZITADEL identity management platform versions before 3.4.8 and 4.12.2 contain a passkey registration vulnerability where improper expiration checks allow attackers to register their own passkeys using previously retrieved codes. This enables account takeover by bypassing authentication controls. All ZITADEL deployments using vulnerable versions are affected.
💻 Affected Systems
- ZITADEL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user account, allowing unauthorized access to sensitive systems and data protected by ZITADEL authentication.
Likely Case
Targeted account compromise of high-value users, potentially leading to data breaches or privilege escalation within integrated systems.
If Mitigated
Limited impact with proper monitoring and quick detection, though authentication bypass remains possible until patched.
🎯 Exploit Status
Exploitation requires obtaining a valid passkey registration code first, which may require some initial access or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.8 or 4.12.2
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-2x66-r53r-9r86
Restart Required: Yes
Instructions:
1. Backup your ZITADEL instance and configuration. 2. Update to version 3.4.8 (for v3.x) or 4.12.2 (for v4.x). 3. Restart the ZITADEL service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable passkey registration
allTemporarily disable passkey registration endpoints until patching can be completed
Modify ZITADEL configuration to disable passkey registration features
🧯 If You Can't Patch
- Implement network segmentation to restrict access to ZITADEL authentication endpoints
- Enable enhanced logging and monitoring for suspicious passkey registration attempts
🔍 How to Verify
Check if Vulnerable:
Check ZITADEL version via admin interface or configuration files. If version is below 3.4.8 (for v3) or 4.12.2 (for v4), the system is vulnerable.Check Version:
Check ZITADEL admin console or configuration files for version informationVerify Fix Applied:
After updating, verify the version shows 3.4.8 or higher (for v3) or 4.12.2 or higher (for v4). Test passkey registration with expired codes to confirm they are rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed passkey registration attempts
- Successful passkey registrations from unusual IP addresses
- Passkey registrations using old/expired codes
Network Indicators:
- Unusual traffic patterns to /api/v2/users/me/passkeys/registration endpoint
- Authentication requests from unexpected locations
SIEM Query:
source="zitadel" AND (event="passkey_registration" AND (result="success" OR code_age>3600))