{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29193", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.715Z", "datePublished": "2026-03-07T15:11:06.415Z", "dateUpdated": "2026-03-09T18:27:32.981Z"}, "containers": {"cna": {"title": "ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 4.0.0, < 4.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:11:06.415Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1."}], "source": {"advisory": "GHSA-25rw-g6ff-fmg8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:43:41.438986Z", "id": "CVE-2026-29193", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:27:32.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29193", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:43:41.438986Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:43:42.553Z"}}], "cna": {"title": "ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2", "source": {"advisory": "GHSA-25rw-g6ff-fmg8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.12.1"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:11:06.415Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29193", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:27:32.981Z", "dateReserved": "2026-03-04T14:44:00.715Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:11:06.415Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "88347744-32A9-4556-A76B-2EA0C1BD6DBC", "versionEndExcluding": "4.12.1", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Desde la versi\u00f3n 4.0.0 hasta la 4.12.0, una vulnerabilidad en la interfaz de usuario (UI) de inicio de sesi\u00f3n V2 de Zitadel permit\u00eda a los usuarios eludir el comportamiento de inicio de sesi\u00f3n y las pol\u00edticas de seguridad, y autorregistrarse para nuevas cuentas o iniciar sesi\u00f3n con contrase\u00f1a incluso si las opciones correspondientes estaban deshabilitadas en su organizaci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 4.12.1."}], "id": "CVE-2026-29193", "lastModified": "2026-03-10T17:52:35.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T15:15:55.867", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.12.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zitadel", "source": "cna", "vendor": "zitadel"}, "product": "zitadel", "vendor": "zitadel"}], "analysis": {"en": {"generated_at": "2026-04-16T10:55:11.092346+00:00", "value": {"mitigation_remediation": ["Upgrade the ZITADEL installation to version 4.12.1 or later, which contains the fix for the login V2 UI flaw.", "If an upgrade cannot be performed immediately, enforce organization settings that strictly disable self\u2011registration and password\u2011based login, and verify that the login V2 UI is not exposed to unauthorised access.", "Audit authentication logs for unexpected account creation or sign\u2011in events following the upgrade or configuration changes to ensure no lingering unauthorized actors remain."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the ZITADEL identity\u2011management platform from vendors\u2019 product line. All deployments of ZITADEL version 4.0.0 up to but not including 4.12.1 are exposed. The fix is delivered in ZITADEL 4.12.1 and later releases.", "description_and_impact": "ZITADEL\u2019s login V2 user interface, available in versions 4.0.0 through 4.12.0, contains a flaw that lets users bypass the platform\u2019s authentication and security policies. An attacker can self\u2011register new accounts or log in with a password even when the organization has disabled those options. The flaw falls under CWE\u2011287, an authentication bypass weakness, and can lead to unauthorized access to protected resources.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.2, indicating high severity, yet the EPSS score is reported as less than 1% and the issue is not listed in the CISA KEV catalog, suggesting a low probability of current exploitation. Attackers would most likely exploit the flaw via the web login interface, submitting crafted credentials or form data that the UI accepts even when the configuration forbids such actions."}}}}, "created": "2026-03-09T10:05:20.226630+00:00", "updated": "2026-04-16T11:00:10.652164+00:00", "vendors": ["zitadel", "zitadel$PRODUCT$zitadel"]}