CVE-2026-32132 | THREATINT

Description

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-12 | Assigner GitHub_M

HIGH: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-613: Insufficient Session Expiration

Product status

>= 4.0.0, < 4.12.2

affected

< 3.4.8

affected

References

github.com/...itadel/security/advisories/GHSA-2x66-r53r-9r86

github.com/zitadel/zitadel/releases/tag/v3.4.8

github.com/zitadel/zitadel/releases/tag/v4.12.2

cve.org (CVE-2026-32132)

nvd.nist.gov (CVE-2026-32132)

Download JSON