GHSA-PVM5-9FRX-264R
Vulnerability from github – Published: 2026-01-15 18:17 – Updated: 2026-01-21 16:55Summary
A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.
Impact
The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint. By submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system's response.
For an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing rate limiting or similar measures to limit enumeration of userIDs.
Additionally, Zitadel includes a security feature "Ignoring unknown usernames", designed to prevent username enumeration attacks by presenting a generic response for both valid and invalid usernames on the login page. The login UI V2 did not handle the setting correctly and would allow attackers to enumerate through usernames to check their existence.
Affected Versions
All versions within the following ranges, including release candidates (RCs), are affected:
- v4.x: 4.0.0 through 4.9.0
- 3.x: 3.0.0 through 3.4.5
- 2.x: 2.0.0 through 2.71.19
Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by returning a generic error message, which does not indicate it the user exists.
4.x: Upgrade to >=4.9.1 3.x: Update to >=3.4.6 2.x: Update to >=3.4.6
Workarounds
The recommended solution is to update ZITADEL to a patched version. You can limit the impact by implementing rate limiting or similar measures to limit enumeration of userIDs.
There is no workaround for the "Ignoring unknown usernames" issue in login V2. Please upgrade to a patched version, if you rely on this feature.
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to Niklas Kunz from Seamly for reporting this vulnerability from their pentest.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.5"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23511"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-15T18:17:06Z",
"nvd_published_at": "2026-01-15T20:16:05Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA user enumeration vulnerability has been discovered in Zitadel\u0027s login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.\n\n### Impact\n\nThe login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint.\nBy submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system\u0027s response.\n\nFor an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing [rate limiting](https://zitadel.com/docs/self-hosting/manage/production#limits-and-quotas) or similar measures to limit enumeration of userIDs.\n\nAdditionally, Zitadel includes a security feature \"Ignoring unknown usernames\", designed to prevent username enumeration attacks by presenting a generic response for both valid and invalid usernames on the login page. The login UI V2 did not handle the setting correctly and would allow attackers to enumerate through usernames to check their existence.\n\n### Affected Versions\n\nAll versions within the following ranges, including release candidates (RCs), are affected:\n- **v4.x**: `4.0.0` through `4.9.0`\n- **3.x**: `3.0.0` through `3.4.5`\n- **2.x**: `2.0.0` through `2.71.19`\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by returning a generic error message, which does not indicate it the user exists.\n\n4.x: Upgrade to \u003e=[4.9.1](https://github.com/zitadel/zitadel/releases/tag/v4.9.1)\n3.x: Update to \u003e=[3.4.6](https://github.com/zitadel/zitadel/releases/tag/v3.4.6)\n2.x: Update to \u003e=[3.4.6](https://github.com/zitadel/zitadel/releases/tag/v3.4.6)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version. You can limit the impact by implementing [rate limiting](https://zitadel.com/docs/self-hosting/manage/production#limits-and-quotas) or similar measures to limit enumeration of userIDs.\n\nThere is no workaround for the \"Ignoring unknown usernames\" issue in login V2. Please upgrade to a patched version, if you rely on this feature.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to Niklas Kunz from Seamly for reporting this vulnerability from their pentest.",
"id": "GHSA-pvm5-9frx-264r",
"modified": "2026-01-21T16:55:10Z",
"published": "2026-01-15T18:17:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23511"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/0bb00dd9fc4e5e965f8e14fa2161a5076f3c308d"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.6"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.9.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Zitadel has a user enumeration vulnerability in Login UIs"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.