Identity Management Platform Vulnerability in ZITADEL
CVE-2026-56666
4.8MEDIUM
What is CVE-2026-56666?
The ZITADEL Identity Management Platform prior to version 4.15.3 contains a security flaw in its external identity provider handler. Specifically, while the system checks if the local user's email is verified, it fails to confirm that the external identity provider has also verified ownership of that email before auto-linking accounts. This could allow an attacker using a permissive provider account to link to a victim's local account by using the victim's email address, potentially leading to unauthorized access. The issue has been addressed in version 4.15.3.
Affected Version(s)
zitadel < 4.15.3
