Zitadel Security Vulnerabilities (CVEs)

Track 24 security vulnerabilities affecting Zitadel products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.

5 Critical

10 High

9 Medium

Sort by:

🔔 Get Alerts for Zitadel

CVE-2026-27840 4.3

ZITADEL identity management platform versions 2.31.0 through 3.4.6 and 4.0.0 through 4.10.0 have a token validation flaw where truncated OIDC access t...

Feb 26, 2026

CVE-2026-27945 6.5

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in ZITADEL's Action V2 feature that allows attackers to make ZITADEL send reques...

Feb 26, 2026

CVE-2026-23511 5.3

CVE-2026-23511 is a user enumeration vulnerability in ZITADEL identity management platform that allows unauthenticated attackers to confirm valid user...

Jan 15, 2026

CVE-2025-67717 4.3

ZITADEL versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users regardless of th...

Dec 11, 2025

CVE-2025-67495 8.0

ZITADEL versions 4.0.0-rc.1 through 4.7.0 have a DOM-based XSS vulnerability in the logout endpoint. Unauthenticated attackers can execute malicious J...

Dec 9, 2025

CVE-2025-67494 9.3

CVE-2025-67494 is an unauthenticated server-side request forgery (SSRF) vulnerability in ZITADEL identity infrastructure. Attackers can force the ZITA...

Dec 9, 2025

CVE-2025-64717 9.8

This vulnerability in ZITADEL identity management platform allows unauthenticated attackers to bypass organization security controls and perform accou...

Nov 13, 2025

CVE-2025-64103 9.8

This vulnerability allows attackers to bypass multi-factor authentication (MFA) in Zitadel by targeting only the TOTP code without requiring password ...

Oct 29, 2025

CVE-2025-64101 8.1

This vulnerability allows attackers to hijack password reset links in Zitadel identity management software by manipulating HTTP headers. Attackers can...

Oct 29, 2025

CVE-2025-64102 9.8

Zitadel identity infrastructure software versions prior to 4.6.0, 3.4.3, and 2.71.18 are vulnerable to online brute-force attacks on OTP, TOTP, and pa...

Oct 29, 2025

CVE-2025-48936 8.1

This vulnerability allows attackers to hijack password reset links in Zitadel identity management software by manipulating HTTP headers. Attackers can...

May 30, 2025

CVE-2025-46815 8.0

This vulnerability in ZITADEL's Session API allows attackers to repeatedly use idp intents to steal authentication tokens. Attackers with access to th...

May 6, 2025

CVE-2025-31123 8.7

Zitadel identity infrastructure software has a vulnerability where expired JWT keys can be used to obtain valid access tokens during Authorization Gra...

Mar 31, 2025

CVE-2025-31124 5.3

ZITADEL's 'Ignoring unknown usernames' setting fails to properly hide user existence due to username normalization, allowing attackers to determine if...

Mar 31, 2025

CVE-2025-27507 9.0

Zitadel's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users without proper IAM roles to modify...

Mar 4, 2025

CVE-2024-49753 5.9

This vulnerability in Zitadel identity infrastructure software allows attackers to bypass URL validation restrictions and send requests to localhost (...

Oct 25, 2024

CVE-2024-46999 7.3

This vulnerability in Zitadel identity management platform allows deactivated user grants to remain active in tokens, potentially granting unauthorize...

Sep 20, 2024

CVE-2024-47060 4.3

This vulnerability in Zitadel identity management platform allows unauthorized access to applications and projects even after their parent organizatio...

Sep 20, 2024

CVE-2024-41952 5.3

This vulnerability in Zitadel identity management system allows attackers to enumerate valid usernames when the 'Ignoring unknown usernames' security ...

Jul 31, 2024

CVE-2024-32967 5.3

Zitadel identity management system versions before patched releases could expose database connection details (database name, username, hostname) to us...

May 1, 2024

CVE-2024-28855 8.1

ZITADEL authentication management software versions before 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a cross-site scripting...

Mar 18, 2024

CVE-2023-49097 8.1

ZITADEL identity infrastructure systems are vulnerable to account takeover via password reset email manipulation. Attackers can inject malicious Forwa...

Nov 30, 2023

CVE-2023-47111 7.3

This vulnerability allows attackers to bypass ZITADEL's lockout policy by initiating parallel password checks, enabling more password attempts than co...

Nov 8, 2023

CVE-2023-46238 8.7

This vulnerability in ZITADEL allows attackers to inject malicious JavaScript into SVG avatar images, potentially enabling account takeover when victi...

Oct 26, 2023

Why Monitor Zitadel Security Vulnerabilities?

Real-time CVE tracking: Our automated system monitors 24+ known vulnerabilities affecting Zitadel products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.

Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Zitadel packages in under 60 seconds. No agents required - completely agentless scanning that works across Zitadel deployments.

Free vulnerability database: Access detailed information about every Zitadel CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.

🚀 Get Started in 60 Seconds

Register free account & add your servers
Run one-time scan or schedule automatic monitoring (every 1-24 hours)
Receive instant alerts when new Zitadel CVEs affect your systems
Access dashboard with severity breakdown & fix instructions

Start Monitoring Zitadel CVEs Free