Zitadel SCIM API allows unauthorized access to user data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Zitadel SCIM API allows unauthorized access to user data

CVE-2026-32130

Summary

An open source identity management platform, Zitadel, has a bug that lets attackers get sensitive user information without logging in. This could be a security risk if you're using Zitadel's SCIM API to manage users from other providers. You should update to version 3.4.8 or 4.12.2 to fix this issue.

Original title

Original description

ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.

nvd CVSS3.1 7.5

Vulnerability type

CWE-288 Authentication Bypass Using Alternate Path

Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026