CVE-2026-23511 | THREATINT

Description

ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.

PUBLISHED Reserved 2026-01-13 | Published 2026-01-15 | Updated 2026-01-15 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-204: Observable Response Discrepancy

Product status

>= 4.0.0, < 4.9.1

affected

< 3.4.6

affected

References

github.com/...itadel/security/advisories/GHSA-pvm5-9frx-264r

github.com/...ommit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2

github.com/...ommit/c300d4cc6a2775ab17ddfe76492f24170f8b858d

github.com/zitadel/zitadel/releases/tag/v3.4.6

github.com/zitadel/zitadel/releases/tag/v4.9.1

cve.org (CVE-2026-23511)

nvd.nist.gov (CVE-2026-23511)

Download JSON