Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
Published: 2026-03-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

ZITADEL’s login V2 user interface, available in versions 4.0.0 through 4.12.0, contains a flaw that lets users bypass the platform’s authentication and security policies. An attacker can self‑register new accounts or log in with a password even when the organization has disabled those options. The flaw falls under CWE‑287, an authentication bypass weakness, and can lead to unauthorized access to protected resources.

Affected Systems

This vulnerability affects the ZITADEL identity‑management platform from vendors’ product line. All deployments of ZITADEL version 4.0.0 up to but not including 4.12.1 are exposed. The fix is delivered in ZITADEL 4.12.1 and later releases.

Risk and Exploitability

The vulnerability has a CVSS score of 8.2, indicating high severity, yet the EPSS score is reported as less than 1% and the issue is not listed in the CISA KEV catalog, suggesting a low probability of current exploitation. Attackers would most likely exploit the flaw via the web login interface, submitting crafted credentials or form data that the UI accepts even when the configuration forbids such actions.

Generated by OpenCVE AI on April 16, 2026 at 10:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ZITADEL installation to version 4.12.1 or later, which contains the fix for the login V2 UI flaw.
  • If an upgrade cannot be performed immediately, enforce organization settings that strictly disable self‑registration and password‑based login, and verify that the login V2 UI is not exposed to unauthorised access.
  • Audit authentication logs for unexpected account creation or sign‑in events following the upgrade or configuration changes to ensure no lingering unauthorized actors remain.

Generated by OpenCVE AI on April 16, 2026 at 10:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-25rw-g6ff-fmg8 ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
History

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Sat, 07 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
Title ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:27:32.981Z

Reserved: 2026-03-04T14:44:00.715Z

Link: CVE-2026-29193

cve-icon Vulnrichment

Updated: 2026-03-09T17:43:42.553Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T15:15:55.867

Modified: 2026-03-10T17:52:35.390

Link: CVE-2026-29193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses