Hoseph

**Name of the Vulnerable Software and Affected Versions** ZITADEL versions 2.37.2 and prior **Description** ZITADEL provides identity infrastructure. The issue arises from the "Ignoring unknown usernames" setting, which is intended to mitigate attacks that try to guess or enumerate usernames. Although this setting works correctly during the authentication process, it fails to work as expected on the password reset flow. As a result, even with this feature active, an attacker can use the password reset function to verify if an account exists within ZITADEL. **Recommendations** For ZITADEL versions 2.37.2 and prior, update to version 2.37.3 or 2.38.0 to resolve the issue. As a temporary workaround, consider restricting access to the password reset function until the update is applied.