github.com/zitadel/zitadel vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-55669Mediumgithub.com/zitadel/zitadel: ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP ProviderGHSA-WXG7-W2V3-W38GMediumgithub.com/zitadel/zitadel: ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP ProviderCVE-2026-55672Highgithub.com/zitadel/zitadel: ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows…CVE-2026-55670Lowgithub.com/zitadel/zitadel: ZITADEL: Cross-Tenant User Leakage via Recycled IdentifiersCVE-2026-55671Lowgithub.com/zitadel/zitadel: ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP ComponentsCVE-2026-44671Highgithub.com/zitadel/zitadel: ZITADEL has LDAP Filter Injection in Login FlowCVE-2026-33132Mediumgithub.com/zitadel/zitadel: Zitadel is missing enforcement of organization scopesCVE-2026-29192Highgithub.com/zitadel/zitadel/v2: ZITADEL: Stored XSS via Default URI Redirect Leads to Account TakeoverCVE-2026-29193Highgithub.com/zitadel/zitadel/v2: ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and AuthenticationCVE-2026-29191Criticalgithub.com/zitadel/zitadel: ZITADEL has 1-Click Account Takeover via XSS in /saml-post EndpointCVE-2026-27946Highgithub.com/zitadel/zitadel: ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser APICVE-2026-27840Mediumgithub.com/zitadel/zitadel: ZITADEL's truncated opaque tokens are still validCVE-2026-23511Mediumgithub.com/zitadel/zitadel: Zitadel has a user enumeration vulnerability in Login UIsCVE-2025-67717Mediumgithub.com/zitadel/zitadel: Zitadel Discloses the Total Number of Instance UsersCVE-2025-67495Highgithub.com/zitadel/zitadel: ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 LoginCVE-2026-29067Highgithub.com/zitadel/zitadel: ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 LoginCVE-2025-67494Criticalgithub.com/zitadel/zitadel: ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 LoginCVE-2025-64717Highgithub.com/zitadel/zitadel: ZITADEL is vulnerable to Account Takeover with deactivated Instance IdPCVE-2025-64431Highgithub.com/zitadel/zitadel: IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data TemperingCVE-2025-64103Highgithub.com/zitadel/zitadel/v2: Zitadel May Bypass Second Authentication FactorCVE-2025-64102Highgithub.com/zitadel/zitadel/v2: Zitadel allows brute-forcing authentication factorsCVE-2025-48936Highgithub.com/zitadel/zitadel: ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header InjectionCVE-2025-46815Highgithub.com/zitadel/zitadel: ZITADEL Allows IdP Intent Token ReuseCVE-2025-27507Criticalgithub.com/zitadel/zitadel/v2: IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP ConfigurationsCVE-2024-49757Highgithub.com/zitadel/zitadel: User Registration Bypass in Zitadel

Stop the waste.
Protect your environment with Kodem.