Description
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
Published: 2026-02-26
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized self‑verification of email or phone addresses
Action: Immediate Patch
AI Analysis

Impact

A flaw in Zitadel’s self‑management API allows any user to mark their own email or phone number as verified without completing the intended verification process. This circumvents the normal authentication flow and grants the user the full set of privileges that normally require a verified contact, enabling potential credential reuse and phishing avoidance. The vulnerability stems from missing authorization checks (CWE‑862).

Affected Systems

The issue affects the open‑source Zitadel identity platform, specifically all releases prior to version 4.11.1 and 3.4.7. Users running those earlier versions are at risk, while the patched releases enforce permission checks and restrict self‑management of the verification flag.

Risk and Exploitability

The CVSS score of 8.2 denotes high severity, but the EPSS probability is less than 1%, indicating currently low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending an UpdateHumanUser request with a verification flag, likely from a compromised or newly created account. Because the verification status can be faked, attackers could evade multi‑factor authentication or other verification‑dependent controls. Given the low probability of widespread exploitation, monitoring and timely patching remain critical.

Generated by OpenCVE AI on April 17, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zitadel installation to at least version 4.11.1 or 3.4.7, which enforce the correct permission check for the verification flag.
  • If an upgrade is not feasible, configure action (v2) to block the verification flag from being set on a user’s own profile, effectively restoring the intended restriction.
  • Verify that all API clients and scripted integrations use the updated endpoints and do not transmit the verification flag for self‑managed fields; review and strengthen permission checks within the server configuration.

Generated by OpenCVE AI on April 17, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-282g-fhmx-xf54 ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
History

Thu, 05 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Thu, 26 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
Title ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:29:22.712Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27946

cve-icon Vulnrichment

Updated: 2026-02-26T16:28:16.445Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T01:16:25.973

Modified: 2026-03-05T14:54:10.133

Link: CVE-2026-27946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses