CVE-2026-23511
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zitadel | zitadel | From 2.0.0 (inc) to 2.71.19 (inc) |
| zitadel | zitadel | From 3.0.0 (inc) to 3.4.5 (inc) |
| zitadel | zitadel | From 4.0.0 (inc) to 4.9.0 (inc) |
| zitadel | zitadel | 2.71.20 |
| zitadel | zitadel | 3.4.6 |
| zitadel | zitadel | 4.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23511 is a user enumeration vulnerability in Zitadel's login interfaces. It allows an unauthenticated attacker to determine whether specific usernames or userIDs exist by submitting them to password reset or login endpoints. The system previously returned different responses depending on whether the user existed or not, which enabled attackers to confirm valid accounts. This flaw was due to Zitadel's 'ignoreUnknownUsernames' security feature not being properly implemented, causing the system to leak information through error messages. The vulnerability is fixed in Zitadel versions 4.9.1, 3.4.6, and later, where generic error messages are returned to prevent user enumeration. [1, 2, 5]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to confirm the existence of valid user accounts in your Zitadel identity management system without authentication. This can lead to targeted attacks such as phishing, password guessing, or social engineering against known users. Although the confidentiality impact is low and there is no impact on integrity or availability, the exposure of valid usernames can aid attackers in further compromising accounts. Mitigations like rate limiting can reduce the risk, but upgrading to a patched version is strongly recommended to fully address the issue. [2, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring login and password reset endpoints for differing responses based on username or userID validity. An attacker can enumerate users by submitting various usernames or userIDs and observing if the system returns distinct error messages or behaviors (such as sending password reset emails only for valid users). Detection involves checking if the system leaks information through error messages or response differences during login or password reset attempts. Specific commands are not provided in the resources, but network monitoring tools or scripts that automate username enumeration attempts and analyze responses could be used to detect this issue. [2, 5]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Zitadel to a patched version: 4.9.1 or later, 3.4.6 or later, or 2.71.20 or later. These versions include fixes that generalize error messages and properly handle the ignoreUnknownUsernames setting to prevent user enumeration. Additionally, implementing rate limiting or similar controls on login and password reset endpoints can help reduce the risk of enumeration attempts. No effective workaround exists for the flaw in Login UI V2 other than upgrading. [2, 4, 5]