GHSA-RXVX-HHPJ-Q6PX
Vulnerability from github – Published: 2026-05-08 17:11 – Updated: 2026-05-08 17:11Summary
A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.
Impact
While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory.
Note that an authentication bypass is not possible.
Affected Versions
Systems integrating LDAP as IdPs and running one of the following versions are affected:
- 4.x:
4.0.0through4.14.0(including RC versions) - 3.x:
3.1.0through3.4.9 - 2.x:
2.71.11through2.71.19
Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.
Workarounds
The recommended solution is to upgrade to a patched version. If an immediate upgrade is not possible, developers should ensure their project's LDAP directory has strict access controls to limit the scope of information disclosure.
Questions
If there are any questions or comments about this advisory, please send an email to security@zitadel.com
Credits
This vulnerability was identified and reported by ProScan AppSec (https://proscan.one/).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.14.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.15.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.71.11"
},
{
"last_affected": "2.71.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.9"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.4.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44671"
],
"database_specific": {
"cwe_ids": [
"CWE-90"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T17:11:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nA vulnerability was discovered in Zitadel\u0027s LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.\n\n## Impact\n\nWhile this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as `*`, `(`, `)`) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory.\n\nNote that an authentication bypass is not possible.\n\n## Affected Versions\n\nSystems integrating LDAP as IdPs and running one of the following versions are affected:\n\n- **4.x**: `4.0.0` through `4.14.0` (including RC versions)\n- **3.x**: `3.1.0` through `3.4.9`\n- **2.x**: `2.71.11` through `2.71.19`\n\n## Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.\n\n- **4.x**: Upgrade to \u003e=[4.15.0](https://github.com/zitadel/zitadel/releases/tag/v4.15.0)\n- **3.x**: Update to \u003e=[3.4.10](https://github.com/zitadel/zitadel/releases/tag/v3.4.10)\n- **2.x**: Update to \u003e=[3.4.10](https://github.com/zitadel/zitadel/releases/tag/v3.4.10)\n\n## Workarounds\n\nThe recommended solution is to upgrade to a patched version. If an immediate upgrade is not possible, developers should ensure their project\u0027s LDAP directory has strict access controls to limit the scope of information disclosure.\n\n## Questions\n\nIf there are any questions or comments about this advisory, please send an email to [security@zitadel.com](mailto:security@zitadel.com)\n\n## Credits\n\nThis vulnerability was identified and reported by **ProScan AppSec** ([https://proscan.one/](https://proscan.one)).",
"id": "GHSA-rxvx-hhpj-q6px",
"modified": "2026-05-08T17:11:29Z",
"published": "2026-05-08T17:11:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-rxvx-hhpj-q6px"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ZITADEL has LDAP Filter Injection in Login Flow"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.