Vulnerability in Zitadel Identity Management Platform's Passkey Registration Endpoints
CVE-2026-32132

7.4HIGH

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
11 March 2026

What is CVE-2026-32132?

Zitadel, an open source identity management platform, has a security issue in its passkey registration endpoints prior to versions 3.4.8 and 4.12.2. The vulnerability arises due to an improper expiration check on registration codes, which can be exploited by an attacker to register a passkey linked to a victim's account. This flaw potentially allows unauthorized access to sensitive account information. The issue has been addressed in the updated versions of the software.

Affected Version(s)

zitadel >= 4.0.0, < 4.12.2 < 4.0.0, 4.12.2

zitadel < 3.4.8 < 3.4.8

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v3.4.8
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v4.12.2
x_refsource_MISC

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.