GHSA-rxvx-hhpj-q6px

Source

https://github.com/advisories/GHSA-rxvx-hhpj-q6px

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rxvx-hhpj-q6px/GHSA-rxvx-hhpj-q6px.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rxvx-hhpj-q6px

Aliases

CVE-2026-44671

Published

2026-05-08T17:11:29Z

Modified

2026-05-08T17:17:45.766686Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

ZITADEL has LDAP Filter Injection in Login Flow

Details

Summary

A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.

Impact

While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory.

Note that an authentication bypass is not possible.

Affected Versions

Systems integrating LDAP as IdPs and running one of the following versions are affected:

4.x: 4.0.0 through 4.14.0 (including RC versions)
3.x: 3.1.0 through 3.4.9
2.x: 2.71.11 through 2.71.19

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.

4.x: Upgrade to >=4.15.0
3.x: Update to >=3.4.10
2.x: Update to >=3.4.10

Workarounds

The recommended solution is to upgrade to a patched version. If an immediate upgrade is not possible, developers should ensure their project's LDAP directory has strict access controls to limit the scope of information disclosure.

Questions

If there are any questions or comments about this advisory, please send an email to security@zitadel.com

Credits

This vulnerability was identified and reported by ProScan AppSec (https://proscan.one/).

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T17:11:29Z",
    "cwe_ids": [
        "CWE-90"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

Go / github.com/zitadel/zitadel

Package

Name: github.com/zitadel/zitadel; View open source insights on deps.dev
Purl: pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.15.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rxvx-hhpj-q6px/GHSA-rxvx-hhpj-q6px.json"

last_known_affected_version_range

"<= 4.14.0"

Go / github.com/zitadel/zitadel

Package

Name: github.com/zitadel/zitadel; View open source insights on deps.dev
Purl: pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type: SEMVER
Events: Introduced

2.71.11

Last affected

2.71.19

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rxvx-hhpj-q6px/GHSA-rxvx-hhpj-q6px.json"

Go / github.com/zitadel/zitadel

Package

Name: github.com/zitadel/zitadel; View open source insights on deps.dev
Purl: pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type: SEMVER
Events: Introduced

3.1.0

Fixed

3.4.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rxvx-hhpj-q6px/GHSA-rxvx-hhpj-q6px.json"

last_known_affected_version_range

"<= 3.4.9"