CVE-2026-23511: Zitadel has a user enumeration vulnerability in Login UIs
(updated )
A user enumeration vulnerability has been discovered in Zitadel’s login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.
References
- github.com/advisories/GHSA-pvm5-9frx-264r
- github.com/zitadel/zitadel
- github.com/zitadel/zitadel/commit/0bb00dd9fc4e5e965f8e14fa2161a5076f3c308d
- github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2
- github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d
- github.com/zitadel/zitadel/releases/tag/v3.4.6
- github.com/zitadel/zitadel/releases/tag/v4.9.1
- github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r
- nvd.nist.gov/vuln/detail/CVE-2026-23511
Code Behaviors & Features
Detect and mitigate CVE-2026-23511 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →