Zitadel has a user enumeration vulnerability in Login UIs

Description

Summary

A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.

Impact

The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint.
By submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system's response.

For an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing rate limiting or similar measures to limit enumeration of userIDs.

Additionally, Zitadel includes a security feature "Ignoring unknown usernames", designed to prevent username enumeration attacks by presenting a generic response for both valid and invalid usernames on the login page. The login UI V2 did not handle the setting correctly and would allow attackers to enumerate through usernames to check their existence.

Affected Versions

All versions within the following ranges, including release candidates (RCs), are affected:
- v4.x: 4.0.0 through 4.9.0
- 3.x: 3.0.0 through 3.4.5
- 2.x: 2.0.0 through 2.71.19

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by returning a generic error message, which does not indicate it the user exists.

4.x: Upgrade to >=4.9.1
3.x: Update to >=3.4.6
2.x: Update to >=3.4.6

Workarounds

The recommended solution is to update ZITADEL to a patched version. You can limit the impact by implementing rate limiting or similar measures to limit enumeration of userIDs.

There is no workaround for the "Ignoring unknown usernames" issue in login V2. Please upgrade to a patched version, if you rely on this feature.

Questions

If you have any questions or comments about this advisory, please email us at [email protected]

Credits

Thanks to Niklas Kunz from Seamly for reporting this vulnerability from their pentest.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-01-15 18:17:06 UTC
Updated
2026-01-26 07:13:45 UTC
GitHub reviewed
2026-01-15 18:17:06 UTC
NVD published
2026-01-15

EPSS Score

Score Percentile
0.02% 5.51%

CVSS Scores

Base score Version Severity Vector
5.3 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-203 Observable Discrepancy
CWE-204 Observable Response Discrepancy

Credits

  • IAM-marco (remediation_reviewer)
  • livio-a (coordinator)
  • mntns (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/zitadel/zitadel >= 4.0.0, <= 4.9.0 4.9.1
go github.com/zitadel/zitadel <= 3.4.5 3.4.6

References

cvelogic Threat Intelligence