FKIE_CVE-2026-23511

Vulnerability from fkie_nvd - Published: 2026-01-15 20:16 - Updated: 2026-01-20 16:44
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
References
security-advisories@github.comhttps://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2Patch
security-advisories@github.comhttps://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858dPatch
security-advisories@github.comhttps://github.com/zitadel/zitadel/releases/tag/v3.4.6Release Notes
security-advisories@github.comhttps://github.com/zitadel/zitadel/releases/tag/v4.9.1Release Notes
security-advisories@github.comhttps://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264rThird Party Advisory
Impacted products
Vendor Product Version
zitadel zitadel *
zitadel zitadel *
zitadel zitadel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFFBAC9C-9A67-4AF4-985C-31DCC2F1311D",
              "versionEndIncluding": "2.71.19",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "35824976-F697-4F42-8224-C8CE077BAB46",
              "versionEndExcluding": "3.4.6",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B68D0EF-0AB9-4429-AA04-8FED60B814C9",
              "versionEndExcluding": "4.9.1",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel\u0027s login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6."
    },
    {
      "lang": "es",
      "value": "ZITADEL es una plataforma de gesti\u00f3n de identidad de c\u00f3digo abierto. Antes de 4.9.1 y 3.4.6, se ha descubierto una vulnerabilidad de enumeraci\u00f3n de usuarios en las interfaces de inicio de sesi\u00f3n de Zitadel. Un atacante no autenticado puede explotar esta falla para confirmar la existencia de cuentas de usuario v\u00e1lidas al iterar a trav\u00e9s de nombres de usuario y userIDs. Esta vulnerabilidad est\u00e1 corregida en 4.9.1 y 3.4.6."
    }
  ],
  "id": "CVE-2026-23511",
  "lastModified": "2026-01-20T16:44:43.437",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-15T20:16:05.167",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/zitadel/zitadel/releases/tag/v4.9.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-204"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.