pkg:Go/github.com/zitadel/zitadel

All known vulnerabilities

• CRITICAL9.3CVE-2026-29191ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint in github.com/zitadel/zitadel
  from 0
• CRITICAL9.3CVE-2026-29191ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint in github.com/zitadel/zitadel
  >= 4.0.0, < 4.12.0
• CRITICAL9.3CVE-2025-67494ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e, >= 1.83.4
• CRITICAL9.3ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
• CRITICAL9.0IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel
  from 0
• CRITICAL9.0IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel
  from 0, < 2.63.8
• HIGH8.7ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel
  from 0, < 2.42.17
• HIGH8.7ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel
  from 0
• HIGH8.7Broken Authorization in ZITADEL Actions
  >= 2.0.0, < 2.2.0
• HIGH8.2ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel
  >= 4.0.0, < 4.12.1
• HIGH8.2ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel
  from 0
• HIGH8.1ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
• HIGH8.1ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e, >= 1.83.4
• HIGH8.1ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection in github.com/zitadel/zitadel
  from 0
• HIGH8.1ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel
  from 0, < 0.0.0-20250528081227-c097887bc5f6
• HIGH8.1ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel
  from 0, < 0.0.0-20250528081227-c097887bc5f6
• HIGH8.1ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel
  from 0
• HIGH8.1XSS in github.com/zitadel/zitadel
  >= 1.80.1, < 2.41.15
• HIGH8.1XSS in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20240312162750-5908b97e7c22
• HIGH8.1ZITADEL Account Takeover via Malicious Host Header Injection
  >= 2.39.0, < 2.39.9
• HIGH8.0ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e, >= 1.83.4
• HIGH8.0ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
• HIGH8.0ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel
  from 0
• HIGH8.0ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel
  >= 3.0.0-rc.1, < 3.0.0
• HIGH7.7ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover in github.com/zitadel/zitadel
  >= 4.0.0, < 4.12.0
• HIGH7.7ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover in github.com/zitadel/zitadel
  from 0
• HIGH7.5ZITADEL has LDAP Filter Injection in Login Flow
  >= 4.0.0, < 4.15.0
• HIGH7.5User Registration Bypass in Zitadel in github.com/zitadel/zitadel
  from 0
• HIGH7.5User Registration Bypass in Zitadel in github.com/zitadel/zitadel
  >= 2.63.0, < 2.63.5
• HIGH7.5Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel
  from 0, < 2.44.3
• HIGH7.5Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel
  from 0
• HIGH7.3ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel
  from 0
• HIGH7.3ZITADEL race condition in lockout policy execution
  >= 2.39.0, < 2.40.5
• MEDIUM6.8ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel
  from 0
• MEDIUM6.5ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel
  from 0, < 2.50.0
• MEDIUM6.5ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel
  from 0
• MEDIUM6.1ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel
  from 0, < 2.42.17
• MEDIUM6.1ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel
  from 0
• MEDIUM5.9Denied Host Validation Bypass in Zitadel Actions in github.com/zitadel/zitadel
  from 0
• MEDIUM5.9Denied Host Validation Bypass in Zitadel Actions in github.com/zitadel/zitadel
  >= 2.64.0, < 2.64.1
• MEDIUM5.9Zitadel RefreshToken invalidation vulnerability
  >= 2.17.0, < 2.17.3
• MEDIUM5.7ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel
  from 0
• MEDIUM5.7ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel
  >= 2.0.0, < 2.53.8
• MEDIUM5.3Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel
  >= 4.0.0-rc.1, < 4.12.3
• MEDIUM5.3Zitadel is missing enforcement of organization scopes in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20260317120401-d90285929ca0
• MEDIUM5.3Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel
  from 0
• MEDIUM5.3Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel
  >= 4.0.0, < 4.9.1
• MEDIUM5.3ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel
  from 0
• MEDIUM5.3ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel
  >= 2.53.0, < 2.53.9
• MEDIUM5.3Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel
  >= 2.50.0, < 2.50.3
• MEDIUM5.3Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel
  from 0
• MEDIUM5.3ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting
  from 0, < 2.37.3
• MEDIUM4.3ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel
  from 0
• MEDIUM4.3ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel
  >= 4.0.0, < 4.11.0
• MEDIUM4.3Zitadel Discloses the Total Number of Instance Users in github.com/zitadel/zitadel
  >= 4.0.0-rc.1, < 4.7.2
• MEDIUM4.3Zitadel Discloses the Total Number of Instance Users in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251210121356-826039c6208f
• MEDIUM4.3ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel
  from 0
• MEDIUM4.3ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel
  >= 1.80.1, < 2.52.3
• —ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20260225053328-b2532e966621
• —ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API in github.com/zitadel/zitadel
  >= 4.0.0, < 4.11.1
• —ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20260225053417-0261536243e5
• —ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP in github.com/zitadel/zitadel
  >= 4.0.0-rc.1, < 4.6.6
• —ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP in github.com/zitadel/zitadel
  >= 1.80.0-v2.20.0.20240403060621-5b3946b67ef6, < 1.80.0-v2.20.0.20251112124840-33c51deb2040
• —IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering in github.com/zitadel/zitadel
  >= 1.80.0-v2.20.0.20250414095945-f365cee73242, < 1.80.0-v2.20.0.20251105083648-8dcfff97ed52
• —IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering in github.com/zitadel/zitadel
  >= 4.0.0-rc.1, < 4.6.3
• —Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel
  from 0
• —Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251029091250-b284f8474eed
• —Zitadel allows brute-forcing authentication factors in github.com/zitadel/zitadel
  from 0
• —Zitadel allows brute-forcing authentication factors in github.com/zitadel/zitadel
  from 0, < 1.80.0-v2.20.0.20251029090735-b8db8cdf9cc8