Password Reset Mechanism Vulnerability in ZITADEL Identity Management Platform
CVE-2026-29067

8.1HIGH

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 7 March 2026

What is CVE-2026-29067?

ZITADEL, an open-source identity management platform, has identified a potential vulnerability in its password reset mechanism across various versions (4.0.0-rc.1 to 4.7.0). This flaw arises from the reliance on the Forwarded or X-Forwarded-Host header from incoming requests to generate the password reset confirmation URL. Consequently, this mechanism could enable unauthorized users to exploit the system. The relevant code, which creates this URL with a sensitive token included, has been addressed and patched in ZITADEL version 4.7.1. Users are encouraged to upgrade to the latest version to ensure protection against this vulnerability.

Affected Version(s)

zitadel >= 4.0.0-rc.1, < 4.7.1

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-29067 Data

JSON

Zitadel

What is CVE-2026-29067?

Affected Version(s)

References

CVSS V3.1

Timeline