Vulnerabilities in zitadel
48 resultsCVE-2023-46238HIGHXSS with User Avatar image in ZITADELEPSS 0.4%CVE-2025-64717HIGHZITADEL vulnerable to Account Takeover with deactivated Instance IdPEPSS 0.4%CVE-2024-47000HIGHService Users Deactivation not Working in ZitadelEPSS 0.4%CVE-2026-29191CRITICALZITADEL: 1-Click Account Takeover via XSS in /saml-post EndpointEPSS 0.4%CVE-2026-32132HIGHZITADEL: Reactivation of Expired Passkey Registration CodesEPSS 0.4%CVE-2026-32131HIGHZITADEL Cross-Tenant Information Disclosure in Management APIEPSS 0.4%CVE-2025-46815HIGHZITADEL Allows IdP Intent Token ReuseEPSS 0.4%CVE-2026-23511MEDIUMZITADEL has a user enumeration vulnerability in Login UIsEPSS 0.4%CVE-2025-31123HIGHZitadel Expired JWT Keys Usable for Authorization GrantsEPSS 0.4%CVE-2025-48936HIGHZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header InjectionEPSS 0.4%CVE-2024-47060MEDIUMUnauthorized Access After Organization or Project Deactivation in ZitadelEPSS 0.4%CVE-2025-64102HIGHZitadel allows brute-forcing authentication factorsEPSS 0.4%CVE-2025-57770MEDIUMZITADEL user enumeration vulnerability in login UIEPSS 0.4%CVE-2025-64101HIGHZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header InjectionEPSS 0.3%CVE-2025-53895HIGHZITADEL has broken authN and authZ in session API and resulting session tokensEPSS 0.3%CVE-2025-64103HIGHZitadel Bypass Second Authentication FactorEPSS 0.3%CVE-2024-28197HIGHAccount Takeover via Session Fixation in Zitadel [Bypassing MFA]EPSS 0.3%CVE-2024-46999HIGHUser Grant Deactivation not Working in ZitadelEPSS 0.3%CVE-2026-29067HIGHZITADEL: Account Takeover Due to Improper Instance Validation in V2 LoginEPSS 0.3%CVE-2026-29192HIGHZITADEL: Stored XSS via Default URI Redirect Leads to Account TakeoverEPSS 0.3%