CVE-2026-29193
Received Received - Intake
Authentication Bypass in ZITADEL Login V2 UI Enables Unauthorized Access

Publication date: 2026-03-07

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29193
EUVD
EUVD-2026-10150
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zitadel zitadel From 4.0.0 (inc) to 4.12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29193 is a high-severity vulnerability in Zitadel versions 4.0.0 through 4.12.0 affecting the Login V2 user interface.

The flaw allows attackers to bypass configured login behaviors and security policies set by organization administrators, such as disabling user self-registration or enforcing passwordless login methods.

Due to improper enforcement on the login UI server, an attacker can send direct HTTP requests to create new accounts or authenticate using username and password even when these options are disabled.

This results in unauthorized system access.

The issue was fixed in Zitadel version 4.12.1 by properly enforcing security policies on the login UI server.

Impact Analysis

This vulnerability can lead to unauthorized access to your Zitadel identity management system.

Attackers can bypass security policies to self-register new accounts or sign in using passwords even if these options are disabled by your organization.

Such unauthorized access can compromise the confidentiality of sensitive information managed by Zitadel.

The vulnerability has a high confidentiality impact but low integrity and no availability impact.

To mitigate this risk, upgrading to Zitadel version 4.12.1 or later is recommended.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Zitadel to version 4.12.1 or later.

This update enforces the security policies properly on the login UI server, preventing unauthorized self-registration and login bypass.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29193. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart