GHSA-pvm5-9frx-264r

Suggest an improvement
Source
https://github.com/advisories/GHSA-pvm5-9frx-264r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-pvm5-9frx-264r/GHSA-pvm5-9frx-264r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pvm5-9frx-264r
Published
2026-01-15T18:17:06Z
Modified
2026-01-15T18:33:09.580345Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Zitadel has a user enumeration vulnerability in Login UIs
Details

Summary

A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.

Impact

The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint. By submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system's response.

For an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing rate limiting or similar measures to limit enumeration of userIDs.

Additionally, Zitadel includes a security feature "Ignoring unknown usernames", designed to prevent username enumeration attacks by presenting a generic response for both valid and invalid usernames on the login page. The login UI V2 did not handle the setting correctly and would allow attackers to enumerate through usernames to check their existence.

Affected Versions

All versions within the following ranges, including release candidates (RCs), are affected: - v4.x: 4.0.0 through 4.9.0 - 3.x: 3.0.0 through 3.4.5 - 2.x: 2.0.0 through 2.71.19

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by returning a generic error message, which does not indicate it the user exists.

4.x: Upgrade to >=4.9.1 3.x: Update to >=3.4.6 2.x: Update to >=3.4.6

Workarounds

The recommended solution is to update ZITADEL to a patched version. You can limit the impact by implementing rate limiting or similar measures to limit enumeration of userIDs.

There is no workaround for the "Ignoring unknown usernames" issue in login V2. Please upgrade to a patched version, if you rely on this feature.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Database specific 
{
    "cwe_ids": [
        "CWE-203"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-01-15T18:17:06Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/zitadel/zitadel

Package

Name
github.com/zitadel/zitadel
View open source insights on deps.dev
Purl
pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
4.9.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-pvm5-9frx-264r/GHSA-pvm5-9frx-264r.json"

last_known_affected_version_range

"<= 4.9.0"

Go / github.com/zitadel/zitadel

Package

Name
github.com/zitadel/zitadel
View open source insights on deps.dev
Purl
pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-pvm5-9frx-264r/GHSA-pvm5-9frx-264r.json"

last_known_affected_version_range

"<= 3.4.5"