Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29067 is a high-severity vulnerability in ZITADEL versions 4.0.0-rc.1 through 4.7.0 affecting the password reset mechanism in the V2 login UI.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because ZITADEL uses the Forwarded or X-Forwarded-Host HTTP headers from incoming requests to build the URL included in password reset confirmation emails without proper validation.'}, {'type': 'paragraph', 'content': 'An attacker who can manipulate these headers can cause ZITADEL to generate password reset links that point to a malicious domain controlled by the attacker.'}, {'type': 'paragraph', 'content': "If a user clicks on such a manipulated link, the secret reset code embedded in the URL can be intercepted by the attacker, allowing them to reset the user's password and take over the account."}, {'type': 'paragraph', 'content': 'This issue was fixed in ZITADEL version 4.7.1 by validating these headers against trusted domains.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to account takeover by attackers who manipulate HTTP headers to intercept password reset links.'}, {'type': 'paragraph', 'content': "If successful, an attacker can reset a user's password and gain unauthorized access to their account."}, {'type': 'paragraph', 'content': 'The impact includes high confidentiality and integrity risks, as sensitive user accounts can be compromised.'}, {'type': 'paragraph', 'content': 'Multi-Factor Authentication (MFA) or Passwordless authentication can mitigate the risk of account takeover from this vulnerability.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves manipulation of the Forwarded or X-Forwarded-Host HTTP headers in requests to ZITADEL's password reset mechanism. Detection can focus on monitoring incoming HTTP requests for unusual or unexpected values in these headers."}, {'type': 'paragraph', 'content': 'You can inspect HTTP request headers to identify suspicious or unexpected X-Forwarded-Host or Forwarded headers that might be used to exploit this vulnerability.'}, {'type': 'list_item', 'content': 'Use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests containing X-Forwarded-Host or Forwarded headers.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP headers: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'X-Forwarded-Host\\|Forwarded'"}, {'type': 'list_item', 'content': 'Check ZITADEL server logs for password reset requests and verify the headers used to generate reset links.'}, {'type': 'list_item', 'content': 'Review email logs or intercepted password reset emails to detect if reset links contain unexpected or malicious domains.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in ZITADEL version 4.7.1 and later. The immediate step is to upgrade your ZITADEL deployment to version 4.7.1 or newer.

As a workaround before upgrading, configure a fronting proxy to remove or override the Forwarded and X-Forwarded-Host headers from incoming requests before they reach ZITADEL.

Ensure that the ZITADEL_API_URL is correctly set and that the HTTP host or X-Forwarded-Host headers are properly passed through reverse proxies.

In multi-instance environments, set the X-ZITADEL-INSTANCE-HOST or X-ZITADEL-FORWARD-HOST headers to trusted values.

Enable Multi-Factor Authentication (MFA) or Passwordless authentication to mitigate the risk of account takeover even if the vulnerability is exploited.

Useful 0 Not Useful 0