CVE-2026-27946
Received Received - Intake
Improper Verification Bypass in ZITADEL Self-Management Module

Publication date: 2026-02-26

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27946
EUVD
EUVD-2026-8794
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 3.4.7 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27946 is a vulnerability in Zitadel's user self-management API, specifically the UpdateHumanUser API, affecting multiple versions before 4.11.1 and 3.4.7."}, {'type': 'paragraph', 'content': 'The flaw allows users to mark their own email addresses and phone numbers as verified without completing the actual verification process due to improper permission checks.'}, {'type': 'paragraph', 'content': 'This means users can falsely claim ownership of email addresses or phone numbers they do not control by setting the verification flag on their own contact details without proper authorization.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the API permits setting the "verified" flag on the user\'s own email or phone without requiring the correct permissions, although attempts to change another user\'s details correctly enforce permission checks.'}, {'type': 'paragraph', 'content': 'The issue is fixed in patched versions by enforcing proper permission validation and restricting verification flag changes to authorized contexts.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to falsely verify email addresses and phone numbers without completing the actual verification process.

Such unauthorized verification can lead to integrity compromise, as users can claim ownership of contact information they do not control.

This may enable bypassing email-based security policies that rely on verified contact information, potentially undermining trust in user identity verification.

However, the vulnerability does not impact confidentiality or availability of the system.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized users marking their own email addresses and phone numbers as verified without completing the actual verification process via the UpdateHumanUser API in Zitadel.'}, {'type': 'paragraph', 'content': 'Detection would involve monitoring API calls to the UpdateHumanUser endpoint for attempts to set the verification flag on user email or phone fields without proper permission.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to API misuse, you can detect it by logging and analyzing API requests that include changes to the verification flags on user contact information.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your logging and monitoring setup, but examples include:'}, {'type': 'list_item', 'content': 'Using network traffic capture tools (e.g., tcpdump or Wireshark) to filter HTTP requests to the UpdateHumanUser API endpoint and inspect payloads for verification flag changes.'}, {'type': 'list_item', 'content': 'Querying Zitadel logs or audit trails for UpdateHumanUser API calls where the verification flag is set by the user without corresponding verification events.'}, {'type': 'list_item', 'content': "Example command to capture HTTP traffic to the API endpoint (replace <API_ENDPOINT> with actual URL): tcpdump -i any -A -s 0 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'UpdateHumanUser'"}, {'type': 'list_item', 'content': 'Using API request logs, run queries to find requests where the verification flag is set without proper permissions.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade Zitadel to a patched version where this vulnerability is fixed: versions 4.11.1 or later for the 4.x branch, 3.4.7 or later for the 3.x branch, and 3.4.7 or later for the 2.x branch.

If upgrading is not immediately possible, a workaround is to use an action (v2) to prevent users from setting the verification flag on their own user accounts.

This workaround restricts the ability to mark email or phone as verified without proper permission checks, thereby mitigating the risk of unauthorized self-verification.

Additionally, review and tighten permission settings related to user self-management APIs to ensure that verification flags cannot be set without appropriate authorization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart