CVE-2026-23511
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23511
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
zitadel zitadel From 2.0.0 (inc) to 2.71.19 (inc)
zitadel zitadel From 3.0.0 (inc) to 3.4.5 (inc)
zitadel zitadel From 4.0.0 (inc) to 4.9.0 (inc)
zitadel zitadel 2.71.20
zitadel zitadel 3.4.6
zitadel zitadel 4.9.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23511 is a user enumeration vulnerability in Zitadel's login interfaces. It allows an unauthenticated attacker to determine whether specific usernames or userIDs exist by submitting them to password reset or login endpoints. The system previously returned different responses depending on whether the user existed or not, which enabled attackers to confirm valid accounts. This flaw was due to Zitadel's 'ignoreUnknownUsernames' security feature not being properly implemented, causing the system to leak information through error messages. The vulnerability is fixed in Zitadel versions 4.9.1, 3.4.6, and later, where generic error messages are returned to prevent user enumeration. [1, 2, 5]

Impact Analysis

This vulnerability can impact you by allowing attackers to confirm the existence of valid user accounts in your Zitadel identity management system without authentication. This can lead to targeted attacks such as phishing, password guessing, or social engineering against known users. Although the confidentiality impact is low and there is no impact on integrity or availability, the exposure of valid usernames can aid attackers in further compromising accounts. Mitigations like rate limiting can reduce the risk, but upgrading to a patched version is strongly recommended to fully address the issue. [2, 5]

Detection Guidance

This vulnerability can be detected by monitoring login and password reset endpoints for differing responses based on username or userID validity. An attacker can enumerate users by submitting various usernames or userIDs and observing if the system returns distinct error messages or behaviors (such as sending password reset emails only for valid users). Detection involves checking if the system leaks information through error messages or response differences during login or password reset attempts. Specific commands are not provided in the resources, but network monitoring tools or scripts that automate username enumeration attempts and analyze responses could be used to detect this issue. [2, 5]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Zitadel to a patched version: 4.9.1 or later, 3.4.6 or later, or 2.71.20 or later. These versions include fixes that generalize error messages and properly handle the ignoreUnknownUsernames setting to prevent user enumeration. Additionally, implementing rate limiting or similar controls on login and password reset endpoints can help reduce the risk of enumeration attempts. No effective workaround exists for the flaw in Login UI V2 other than upgrading. [2, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart