Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Zitadel Identity Management Platform: Login Bypass in Version 4.0.0 to 4.12.0
GHSA-25rw-g6ff-fmg8
CVE-2026-29193
GHSA-25rw-g6ff-fmg8
Summary
Zitadel's login system has a flaw that allows users to ignore security settings and create new accounts or log in with a password, even if those options are turned off in their organization. This means that users may be able to access the system without proper verification. Upgrade to version 4.12.1 to fix this issue.
What to do
- Update github.com zitadel to version 4.12.1.
- Update zitadel github.com/zitadel/zitadel/v2 to version 4.12.1.
- Update zitadel github.com/zitadel/zitadel to version 4.12.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | zitadel | > 4.0.0 , <= 4.12.0 | 4.12.1 |
| github.com | zitadel | > 4.0.0 , <= 4.12.0 | 4.12.1 |
| zitadel | github.com/zitadel/zitadel/v2 | > 4.0.0 , <= 4.12.1 | 4.12.1 |
| zitadel | github.com/zitadel/zitadel | > 4.0.0 , <= 4.12.1 | 4.12.1 |
| zitadel | zitadel | > 4.0.0 , <= 4.12.1 | – |
Original title
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-...
Original description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
ghsa CVSS3.1
8.2
Vulnerability type
CWE-287
Improper Authentication
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026