CVE-2026-23511

Source
https://cve.org/CVERecord?id=CVE-2026-23511
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23511.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23511
Aliases
Downstream
Related
Published
2026-01-15T19:09:06.154Z
Modified
2026-07-15T02:17:49.801009842Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
ZITADEL has a user enumeration vulnerability in Login UIs
Details

ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23511.json",
    "cwe_ids": [
        "CWE-204"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/zitadel/zitadel

Affected ranges

Type
GIT
Repo
https://github.com/zitadel/zitadel
Events
Database specific
{
    "cpe": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.71.19"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.4.6"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.9.1"
        }
    ]
}

Affected versions

2.*
2.20.0
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.15.0
v2.16.0
v2.16.1
v2.17.0
v2.17.1
v2.18.0
v2.19.0
v2.2.0
v2.20.0
v2.21.0
v2.22.0
v2.22.1
v2.22.2
v2.23.0
v2.23.1
v2.24.0
v2.25.0
v2.25.1
v2.25.2
v2.25.3
v2.26.0
v2.26.1
v2.26.2
v2.27.0
v2.27.1
v2.28.0
v2.28.1
v2.29.0
v2.29.1
v2.29.2
v2.29.3
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.30.0
v2.31.0
v2.31.1
v2.31.2
v2.31.3
v2.31.4
v2.31.5
v2.32.0
v2.33.0
v2.33.1
v2.34.0
v2.34.1
v2.35.0
v2.35.1
v2.36.0
v2.36.1
v2.36.2
v2.36.3
v2.37.0
v2.37.1
v2.37.2
v2.37.3
v2.38.0
v2.38.1
v2.39.0
v2.39.1
v2.39.2
v2.39.3
v2.4.0
v2.40.0
v2.40.1
v2.40.2
v2.40.3
v2.40.4
v2.40.5
v2.41.0
v2.41.1
v2.41.2
v2.41.3
v2.41.4
v2.41.5
v2.42.0
v2.42.1
v2.42.2
v2.42.3
v2.43.0
v2.43.1
v2.43.2
v2.43.3
v2.43.4
v2.43.5
v2.44.0
v2.44.1
v2.44.2
v2.45.0
v2.46.0
v2.47.0
v2.47.1
v2.47.2
v2.47.3
v2.47.4
v2.47.5
v2.47.6
v2.48.0
v2.48.1
v2.48.2
v2.48.3
v2.49.0
v2.49.1
v2.49.2
v2.49.3
v2.5.0
v2.5.1
v2.50.0
v2.50.1
v2.50.2
v2.50.3
v2.50.4
v2.50.5
v2.51.0
v2.51.1
v2.51.2
v2.51.3
v2.51.4
v2.52.0
v2.52.1
v2.53.0
v2.53.1
v2.53.2
v2.54.0
v2.54.1
v2.54.2
v2.54.3
v2.55.0
v2.55.1
v2.55.2
v2.56.0
v2.56.1
v2.57.0
v2.58.0
v2.58.1
v2.58.2
v2.58.3
v2.59.0
v2.59.1
v2.6.0
v2.60.0
v2.61.0
v2.62.0
v2.62.1
v2.62.2
v2.62.3
v2.63.0
v2.63.1
v2.63.2
v2.63.3
v2.63.4
v2.64.0
v2.64.1
v2.65.0
v2.65.1
v2.65.2
v2.65.3
v2.65.4
v2.66.0
v2.66.1
v2.66.2
v2.66.3
v2.67.0
v2.67.1
v2.67.2
v2.67.3
v2.67.4
v2.68.0
v2.68.1
v2.69.0
v2.69.1
v2.69.2
v2.69.3
v2.7.0
v2.70.0
v2.70.1
v2.71.0
v2.71.1
v2.71.10
v2.71.11
v2.71.12
v2.71.13
v2.71.14
v2.71.15
v2.71.16
v2.71.17
v2.71.18
v2.71.19
v2.71.2
v2.71.3
v2.71.4
v2.71.5
v2.71.6
v2.71.7
v2.71.8
v2.71.9
v2.8.0
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.4.0
v4.5.0
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.6.4
v4.6.5
v4.6.6
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.7.6
v4.8.0
v4.8.1
v4.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23511.json"