LDAP Injection Vulnerability in ZITADEL Identity Management Platform
CVE-2026-44671

7.5HIGH

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
14 May 2026

What is CVE-2026-44671?

The ZITADEL identity management platform, from versions 2.71.11 to below 3.4.10 and 4.15.0, contains a vulnerability within its LDAP identity provider. This flaw occurs due to the improper handling of user-supplied usernames in LDAP search filters, enabling unauthenticated attackers to execute LDAP filter injection. While full authentication bypass is not possible, an attacker can exploit LDAP metacharacters to launch blind LDAP injection attacks, thereby gaining insights into valid usernames and potentially retrieving sensitive attribute data from the linked LDAP directory. The vulnerability is addressed in versions 3.4.10 and 4.15.0.

Affected Version(s)

zitadel >= 2.71.11, < 3.4.10 < 2.71.11, 3.4.10

zitadel >= 4.0.0, < 4.15.0 < 4.0.0, 4.15.0

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v3.4.10
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v4.15.0
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.