CVE-2026-29067

ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-07 15:15

Updated : 2026-03-10 17:58

NVD link : CVE-2026-29067

Mitre link : CVE-2026-29067

CVE.ORG link : CVE-2026-29067

JSON object : View

Products Affected

zitadel

zitadel

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2026-29067", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}]}, "published": "2026-03-07T15:15:54.890", "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Desde la versi\u00f3n 4.0.0-rc.1 hasta la 4.7.0, existe una potencial vulnerabilidad en el mecanismo de restablecimiento de contrase\u00f1a de ZITADEL en el inicio de sesi\u00f3n V2. ZITADEL utiliza el encabezado Forwarded o X-Forwarded-Host de las solicitudes entrantes para construir la URL del enlace de confirmaci\u00f3n de restablecimiento de contrase\u00f1a. Este enlace, que contiene un c\u00f3digo secreto, se env\u00eda luego por correo electr\u00f3nico al usuario. Este problema ha sido parcheado en la versi\u00f3n 4.7.1."}], "lastModified": "2026-03-10T17:58:23.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1B051D6-969F-4B70-BF3F-AFD77FB00251", "versionEndExcluding": "4.7.1", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}