CVE-2026-32132
Received Received - Intake
Improper Expiration Check in ZITADEL Passkey Registration Enables Account Takeover

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32132
EUVD
EUVD-2026-11412
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 3.4.8 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.12.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ZITADEL's passkey registration endpoints prior to versions 3.4.8 and 4.12.2. The issue is due to an improper expiration check of a previously retrieved code used during passkey registration. Because of this flaw, an attacker could reuse an expired or otherwise invalid code to register their own passkey, thereby gaining unauthorized access to the victim's account.

Impact Analysis

The vulnerability can allow an attacker to register a passkey on behalf of a victim by exploiting the improper expiration check. This means the attacker could gain unauthorized access to the victim's account, potentially compromising sensitive information and user identity within the ZITADEL identity management platform.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Zitadel to version 3.4.8 or 4.12.2 or later, where the issue with improper expiration check of the passkey registration code has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart