PT-2026-22071 · Zitadel · Zitadel

Livio-A

Published

2026-02-26

Updated

2026-03-30

CVE-2026-27946

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 3.4.7 ZITADEL versions prior to 4.11.1

Description ZITADEL, an open source identity management platform, had a flaw in its self-management feature. This allowed users to falsely mark their email and phone as verified without completing the verification process. The issue was addressed by enforcing proper permission checks when setting the verification flag and restricting self-management to the email address and/or phone number itself.

Recommendations Upgrade to ZITADEL version 3.4.7 or later. Upgrade to ZITADEL version 4.11.1 or later. If an upgrade is not possible, utilize an action (v2) to prevent setting the verification flag on user accounts.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-27946

GHSA-282G-FHMX-XF54

GO-2026-4572

SUSE-SU-2026:1042-1

Affected Products

Zitadel

PT-2026-22071 · Zitadel · Zitadel

CVE-2026-27946

Weakness Enumeration

Related Identifiers

Affected Products

References · 140