{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29067", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.482Z", "datePublished": "2026-03-07T15:12:26.345Z", "dateUpdated": "2026-03-09T18:27:24.567Z"}, "containers": {"cna": {"title": "ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 4.0.0-rc.1, < 4.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:12:26.345Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1."}], "source": {"advisory": "GHSA-pfrf-9r5f-73f5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:39:49.787933Z", "id": "CVE-2026-29067", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:27:24.567Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29067", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T17:39:49.787933Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:39:51.182Z"}}], "cna": {"title": "ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login", "source": {"advisory": "GHSA-pfrf-9r5f-73f5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": ">= 4.0.0-rc.1, < 4.7.1"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:12:26.345Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29067", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:27:24.567Z", "dateReserved": "2026-03-03T20:51:43.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:12:26.345Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1B051D6-969F-4B70-BF3F-AFD77FB00251", "versionEndExcluding": "4.7.1", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Desde la versi\u00f3n 4.0.0-rc.1 hasta la 4.7.0, existe una potencial vulnerabilidad en el mecanismo de restablecimiento de contrase\u00f1a de ZITADEL en el inicio de sesi\u00f3n V2. ZITADEL utiliza el encabezado Forwarded o X-Forwarded-Host de las solicitudes entrantes para construir la URL del enlace de confirmaci\u00f3n de restablecimiento de contrase\u00f1a. Este enlace, que contiene un c\u00f3digo secreto, se env\u00eda luego por correo electr\u00f3nico al usuario. Este problema ha sido parcheado en la versi\u00f3n 4.7.1."}], "id": "CVE-2026-29067", "lastModified": "2026-03-10T17:58:23.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-07T15:15:54.890", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-rc.1,4.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zitadel", "source": "cna", "vendor": "zitadel"}, "product": "zitadel", "vendor": "zitadel"}], "analysis": {"en": {"generated_at": "2026-04-17T12:11:52.454868+00:00", "value": {"mitigation_remediation": ["Upgrade ZITADEL to version 4.7.1 or later, which patches the URL construction logic.", "Configure any reverse proxy, load balancer, or network appliance to strip or enforce trusted values for the Forwarded and X-Forwarded-Host headers before passing requests to ZITADEL.", "Monitor outgoing password\u2011reset emails for unexpected hostnames or abnormal redirect behavior and block or flag suspicious tokens."], "summary": {"action": "Immediate Patch", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "The affected product is ZITADEL, an open source identity management platform, with vulnerability present only in releases between 4.0.0\u2011rc.1 and 4.7.0 inclusive. Versions 4.7.1 and later contain the patch.", "description_and_impact": "ZITADEL versions 4.0.0\u2011rc.1 through 4.7.0 construct the email confirmation link for password resets using the Forwarded or X-Forwarded-Host header from incoming requests. This header is used to build the full URL that contains a secret reset code and is sent to the user. Because the header can be manipulated, an attacker can generate a link that points to an attacker-controlled domain or modifies the path to the confirmation endpoint, enabling account takeover by tricking a user into confirming the reset under the attacker's control.", "risk_and_exploitability": "The CVSS score is 8.1, indicating a high severity vulnerability. The EPSS score is below 1%, suggesting a low but non\u2011zero probability of exploitation in the current data snapshot. The CVE is not listed in the CISA KEV catalog. Exploitation requires an attacker to control or influence the Forwarded/X-Forwarded-Host header in traffic to ZITADEL, which can occur via misconfigured reverse proxies, load balancers, or internal networks. Once the attacker induces a password\u2011reset email that uses a forged host, they can direct the user to a malicious confirmation page to hijack the account."}}}}, "created": "2026-03-09T10:05:19.284300+00:00", "updated": "2026-04-17T12:15:18.171166+00:00", "vendors": ["zitadel", "zitadel$PRODUCT$zitadel"]}