CVE-2026-29193

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.12.0

Description ZITADEL, an open source identity management platform, had a flaw in its login V2 UI. This allowed users to circumvent login behavior and security policies, enabling self-registration of new accounts or sign-in with passwords even when these options were disabled by the organization's administrators. An attacker could send direct HTTP requests to the login UI to create accounts in organizations where self-registration was disabled, and gain unauthorized access. The same attack vector could be used to authenticate with a username and password even when this login method was disabled.

Recommendations Upgrade to version 4.12.1 or later.