Description
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
Published: 2026-01-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration
Action: Patch
AI Analysis

Impact

ZITADEL’s login interfaces allow an unauthenticated attacker to determine whether a username or userID exists by observing differences in the system’s responses. The flaw is a classic user‑enumeration weakness (CWE‑204) that can lead to targeted credential‑guessing attacks or social‑engineering attempts. The public CVSS score of 5.3 indicates a moderate severity, reflecting the lack of direct privilege escalation but the potential for privacy and attack‑surface amplification.

Affected Systems

All installations of ZITADEL running a version prior to 4.9.1 or 3.4.6 are affected. The vulnerability exists in the login user interfaces of those releases according to the vendor’s release notes and commit history.

Risk and Exploitability

Because the flaw requires no authentication and can be triggered via the standard web login UI, it is highly accessible to any external party with internet access to the service. Exploitation is straightforward: a malicious actor cycles through likely usernames and conditions on the response timing or content to infer account existence. The EPSS score of less than 1% and its absence from the CISA KEV catalog suggest current exploitation rates are low, but the ease of the attack vector means the risk remains tangible for environments with exposed login portals.

Generated by OpenCVE AI on April 18, 2026 at 06:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ZITADEL 4.9.1 or 3.4.6, where the user‑enumeration logic has been removed.
  • Restrict direct access to the login interfaces from untrusted networks, ensuring only internal or trusted IP ranges can reach them.
  • Review authentication logs for patterns of repeated login attempts with varying usernames, and apply rate limiting or account lockout policies to mitigate automated enumeration.

Generated by OpenCVE AI on April 18, 2026 at 06:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pvm5-9frx-264r Zitadel has a user enumeration vulnerability in Login UIs
History

Tue, 20 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Thu, 15 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
Title ZITADEL has a user enumeration vulnerability in Login UIs
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T19:56:24.164Z

Reserved: 2026-01-13T18:22:43.979Z

Link: CVE-2026-23511

cve-icon Vulnrichment

Updated: 2026-01-15T19:56:21.421Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T20:16:05.167

Modified: 2026-01-20T16:44:43.437

Link: CVE-2026-23511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses