Description
ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0.
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ZITADEL’s LDAP identity provider failed to escape user‑supplied usernames, enabling LDAP filter injection during the login process. An unauthenticated attacker can send specially crafted usernames containing LDAP metacharacters such as '*', '(', or ')' to manipulate the search filter. By observing the differing responses from the authentication endpoint, the attacker can enumerate existing usernames and retrieve sensitive attributes from the LDAP directory, though a full authentication bypass is not possible.

Affected Systems

This flaw affects ZITADEL versions from 2.71.11 up to but not including 3.4.10 and 4.15.0. Users running any of these builds in an environment where the LDAP identity provider is enabled are susceptible.

Risk and Exploitability

The CVSS score of 7.5 reflects the potential for information disclosure and enumeration of directory contents. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the weakness by sending malformed usernames to the login endpoint; no authentication is required and the attack can be performed from an external network. Successful exploitation can lead to the discovery of all usernames and extraction of LDAP attributes, compromising confidentiality of directory data.

Generated by OpenCVE AI on May 14, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch by upgrading ZITADEL to at least version 3.4.10 or 4.15.0, which contains the fix for the LDAP filter injection issue.
  • If an immediate upgrade is not possible, enforce strict input validation by escaping LDAP metacharacters in any username that will be included in a search filter, or use a safe API that performs this escaping automatically.
  • Monitor authentication attempts and LDAP query logs for anomalous patterns that may indicate injection attempts, and review logs for discovery of user enumeration activities.

Generated by OpenCVE AI on May 14, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxvx-hhpj-q6px ZITADEL has LDAP Filter Injection in Login Flow
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0.
Title ZITADEL: LDAP Filter Injection in Login Flow
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:05:06.108Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44671

cve-icon Vulnrichment

Updated: 2026-05-15T15:28:27.827Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T22:16:44.850

Modified: 2026-05-15T17:15:03.543

Link: CVE-2026-44671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:45:31Z

Weaknesses