Self-Management Flaw in ZITADEL Identity Management Platform
CVE-2026-27946

8.2HIGH

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-27946?

ZITADEL's open-source identity management platform exhibited a critical self-management vulnerability that permitted users to mark their email and phone numbers as verified without completing the necessary verification process. This issue compromised user account integrity by inadequately managing verification flags. The vulnerability has been addressed in updates 4.11.1 and 3.4.7, where new permissions ensure that only authorized actions allow for self-verification of email addresses and phone numbers. Users unable to upgrade can implement a specific action (v2) to mitigate this issue by disabling the ability to set verification flags.

Affected Version(s)

zitadel >= 4.0.0, < 4.11.0 < 4.0.0, 4.11.0

zitadel < 3.4.7 < 3.4.7

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-27946 Data

JSON

Zitadel

What is CVE-2026-27946?

Affected Version(s)

References

CVSS V4

Timeline