CVE-2026-44671

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.71.11 through 2.71.19 ZITADEL versions 3.1.0 through 3.4.9 ZITADEL versions 4.0.0 through 4.14.0

Description An issue exists in the LDAP identity provider implementation where user-provided usernames are not properly escaped before being included in LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. By using LDAP metacharacters such as *, (, and ), an attacker can execute blind LDAP injection. This technique enables the systematic enumeration of valid usernames and the extraction of sensitive attribute data from the connected LDAP directory by analyzing the success or failure responses. This does not allow for a full authentication bypass.

Recommendations Update versions 2.71.11 through 2.71.19 to 3.4.10. Update versions 3.1.0 through 3.4.9 to 3.4.10. Update versions 4.0.0 through 4.14.0 to 4.15.0. Ensure the LDAP directory has strict access controls to limit the scope of information disclosure.