CVE-2026-32132

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 3.4.8 ZITADEL versions prior to 4.12.2

Description ZITADEL is an open source identity management platform. A potential issue exists in the passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code could allow an attacker to potentially register their own passkey and gain access to the victim's account. The vulnerable endpoint is the passkey registration endpoint. The vulnerable variable is the code used for passkey registration.

Recommendations Update to ZITADEL version 3.4.8 or later. Update to ZITADEL version 4.12.2 or later.

Exploit

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2026-32132

GHSA-2X66-R53R-9R86

Affected Products

Zitadel

CVE-2026-32132

Weakness Enumeration

Related Identifiers

Affected Products

References · 8