CVE-2025-57770
- EPSS 0.07%
- Published 22.08.2025 16:50:35
- Last modified 27.08.2025 19:12:57
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the log...
CVE-2025-53895
- EPSS 0.07%
- Published 15.07.2025 16:39:00
- Last modified 26.08.2025 17:52:08
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if the...
CVE-2025-48936
- EPSS 0.13%
- Published 30.05.2025 06:30:57
- Last modified 04.06.2025 18:31:41
Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests...
- EPSS 0.05%
- Published 06.05.2025 17:13:53
- Last modified 26.08.2025 16:02:35
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receive...
CVE-2025-31124
- EPSS 0.08%
- Published 31.03.2025 20:15:15
- Last modified 26.08.2025 17:15:41
Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password pr...
CVE-2025-31123
- EPSS 0.09%
- Published 31.03.2025 20:15:15
- Last modified 26.08.2025 17:13:31
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. T...
- EPSS 0.3%
- Published 04.03.2025 17:15:20
- Last modified 26.08.2025 17:15:22
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specifi...
CVE-2024-49757
- EPSS 3.06%
- Published 25.10.2024 15:15:18
- Last modified 26.08.2025 16:31:17
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User...
CVE-2024-49753
- EPSS 0.31%
- Published 25.10.2024 14:15:12
- Last modified 26.08.2025 16:28:04
Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block reque...
CVE-2024-47060
- EPSS 0.05%
- Published 20.09.2024 00:15:03
- Last modified 25.09.2024 16:43:47
Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through th...