GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
35 advisories
Zitadel is missing enforcement of organization scopes
Moderate
CVE-2026-33132
was published
for
github.com/zitadel/zitadel
(Go)
Mar 18, 2026
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
High
CVE-2026-29192
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication
High
CVE-2026-29193
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
Critical
CVE-2026-29191
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL has potential SSRF via Actions
Low
CVE-2026-27945
was published
for
github.com/zitadel/zitadel/v2
(Go)
Feb 27, 2026
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
High
CVE-2026-27946
was published
for
github.com/zitadel/zitadel
(Go)
Feb 27, 2026
ZITADEL's truncated opaque tokens are still valid
Moderate
CVE-2026-27840
was published
for
github.com/zitadel/zitadel
(Go)
Feb 27, 2026
Zitadel has a user enumeration vulnerability in Login UIs
Moderate
CVE-2026-23511
was published
for
github.com/zitadel/zitadel
(Go)
Jan 15, 2026
Zitadel Discloses the Total Number of Instance Users
Moderate
CVE-2025-67717
was published
for
github.com/zitadel/zitadel
(Go)
Dec 10, 2025
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
High
CVE-2025-67495
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login
High
CVE-2026-29067
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Critical
CVE-2025-67494
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP
High
CVE-2025-64717
was published
for
github.com/zitadel/zitadel
(Go)
Nov 14, 2025
IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering
High
CVE-2025-64431
was published
for
github.com/zitadel/zitadel
(Go)
Nov 5, 2025
Zitadel May Bypass Second Authentication Factor
High
CVE-2025-64103
was published
for
github.com/zitadel/zitadel
(Go)
Oct 29, 2025
Zitadel allows brute-forcing authentication factors
High
CVE-2025-64102
was published
for
github.com/zitadel/zitadel
(Go)
Oct 29, 2025
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
High
CVE-2025-64101
was published
for
github.com/zitadel/zitadel/v2
(Go)
Oct 29, 2025
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
High
CVE-2025-48936
was published
for
github.com/zitadel/zitadel
(Go)
May 28, 2025
ZITADEL Allows IdP Intent Token Reuse
High
CVE-2025-46815
was published
for
github.com/zitadel/zitadel
(Go)
May 6, 2025
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
Critical
CVE-2025-27507
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2025
Denied Host Validation Bypass in Zitadel Actions
Moderate
CVE-2024-49753
was published
for
github.com/zitadel/zitadel
(Go)
Oct 25, 2024
ZITADEL Allows Unauthorized Access After Organization or Project Deactivation
High
CVE-2024-47060
was published
for
github.com/zitadel/zitadel/v2
(Go)
Sep 19, 2024
ZITADEL's Service Users Deactivation not Working
High
CVE-2024-47000
was published
for
github.com/zitadel/zitadel/v2
(Go)
Sep 19, 2024
ZITADEL's User Grant Deactivation not Working
High
CVE-2024-46999
was published
for
github.com/zitadel/zitadel/v2
(Go)
Sep 19, 2024
ZITADEL "ignoring unknown usernames" vulnerability
Moderate
CVE-2024-41952
was published
for
github.com/zitadel/zitadel
(Go)
Jul 31, 2024
ProTip!
Advisories are also available from the
GraphQL API