5.3

CVE-2026-23511

ZITADEL has a user enumeration vulnerability in Login UIs

ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZitadelZitadel Version >= 2.0.0 <= 2.71.19
ZitadelZitadel Version >= 3.0.0 < 3.4.6
ZitadelZitadel Version >= 4.0.0 < 4.9.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.36% 0.279
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r
Third Party Advisory
https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2
Patch
https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d
Patch
https://github.com/zitadel/zitadel/releases/tag/v3.4.6
Release Notes
https://github.com/zitadel/zitadel/releases/tag/v4.9.1
Release Notes