CRITICAL9.3CVE-2026-29191ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint in github.com/zitadel/zitadel >= 4.0.0, < 4.12.0
CRITICAL9.3CVE-2025-67494ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login in github.com/zitadel/zitadel from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
CRITICAL9.0CVE-2025-27507IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations in github.com/zitadel/zitadel from 0, < 2.63.8
HIGH8.2ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication in github.com/zitadel/zitadel
>= 4.0.0, < 4.12.1
HIGH8.1ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
HIGH8.1ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection in github.com/zitadel/zitadel
>= 2.0.0, < 2.71.18
HIGH8.1ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel
>= 2.38.3, < 2.70.12
HIGH8.1ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel
>= 2.62.0, < 2.62.1
HIGH8.0ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login in github.com/zitadel/zitadel
from 0, < 1.80.0-v2.20.0.20251208091519-4c879b47334e
HIGH7.7ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover in github.com/zitadel/zitadel
>= 4.0.0, < 4.12.0
HIGH7.3ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel
>= 2.62.0, < 2.62.1
MEDIUM6.8ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel
>= 2.62.0, < 2.62.1
—ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel
>= 2.59.0, < 4.11.1
—Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel
>= 2.53.6, <= 2.53.9
—Zitadel allows brute-forcing authentication factors in github.com/zitadel/zitadel
from 0, < 2.71.18