CVE-2026-32130

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.68.0 through 3.4.7 ZITADEL version 4.12.2

Description ZITADEL is an open source identity management platform. Versions 2.68.0 through before 3.4.8 and 4.12.2 contain an issue where requests to the System for Cross-domain Identity Management (SCIM) API with URL-encoded path values bypassed necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information, including names, email addresses, phone numbers, addresses, external IDs, and roles. Data manipulation or deletion was prevented due to additional checks. The API endpoint is susceptible to this issue. The vulnerable parameter is the URL-encoded path value.

Recommendations ZITADEL versions 2.68.0 through 3.4.7 should be updated to version 3.4.8 or later. ZITADEL version 4.12.2 should be used.