Identity Management Platform Vulnerability in ZITADEL
CVE-2026-56666

4.8MEDIUM

Key Information:

Vendor

Zitadel

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56666?

The ZITADEL Identity Management Platform prior to version 4.15.3 contains a security flaw in its external identity provider handler. Specifically, while the system checks if the local user's email is verified, it fails to confirm that the external identity provider has also verified ownership of that email before auto-linking accounts. This could allow an attacker using a permissive provider account to link to a victim's local account by using the victim's email address, potentially leading to unauthorized access. The issue has been addressed in version 4.15.3.

Affected Version(s)

zitadel < 4.15.3

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.