Description
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows requestors to send SCIM API calls with URL-encoded path values that are routed correctly but bypass authentication and permission checks. As a result, an attacker can retrieve sensitive user information such as names, email addresses, phone numbers, addresses, external IDs, and roles without any credentials. However, due to additional checks when manipulating data, the attacker cannot modify or delete any user data. This weakness is represented by CWE-288 (Authentication Bypass).

Affected Systems

The vulnerability affects Zitadel identity management platforms from version 2.68.0 up to, but not including, 3.4.8 and 4.12.2. The issue is fixed in Zitadel releases 3.4.8 and 4.12.2, so any deployment running a version older than those is susceptible.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity level. The EPSS score is below 1%, suggesting a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the SCIM API endpoint, where an unauthenticated attacker can construct a URL-encoded request to enumerate sensitive user attributes. The risk is primarily data disclosure for the affected systems.

Generated by OpenCVE AI on March 17, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zitadel to version 3.4.8 or 4.12.2 to remediate the authentication bypass.
  • Until the patch is applied, restrict external access to the SCIM API endpoints using firewall or network segmentation.
  • Verify that URL-encoded SCIM requests are rejected by reviewing logs and access controls.

Generated by OpenCVE AI on March 17, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Wed, 11 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.
Title ZITADEL SCIM Authentication Bypass via URL Encoding
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T16:18:08.397Z

Reserved: 2026-03-10T22:19:36.545Z

Link: CVE-2026-32130

cve-icon Vulnrichment

Updated: 2026-03-12T15:31:09.802Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:32.793

Modified: 2026-03-16T16:51:59.837

Link: CVE-2026-32130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:52Z

Weaknesses