CVE-2026-56666
Deferred Deferred - Pending Action

Email Spoofing in ZITADEL Identity Provider

Vulnerability report for CVE-2026-56666, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
zitadel zitadel 4.15.3
zitadel zitadel From 3.0.0 (inc) to 4.15.2 (inc)
zitadel zitadel to 4.15.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56666 is a vulnerability in ZITADEL versions prior to 4.15.3 that affects the external identity provider (IdP) handler's auto-linking feature by email.

The issue arises because ZITADEL only verifies that the local user's email is confirmed but does not verify that the external IdP has confirmed ownership of the same email before linking accounts automatically.

This allows an attacker to create an account on a permissive external IdP using a victim's email address, then log in and have their federated identity automatically linked to the victim's local account without the victim's knowledge or consent.

The vulnerability depends on configuration, specifically when email auto-linking is enabled with a permissive IdP that does not enforce strict email verification.

It has been fixed in version 4.15.3 by ensuring that both the local user's and the external IdP user's emails are verified before auto-linking.

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized access to a victim's local account by linking their external identity without the victim's consent.

If an administrator enables email auto-linking with a permissive external IdP that does not enforce email verification, an attacker can register an account using the victim's email, then automatically link and access the victim's account.

This can lead to unauthorized access to sensitive information or actions within the victim's account.

The severity is considered moderate with a CVSS score of 4.8, reflecting low impact on confidentiality and integrity but no required privileges or user interaction for exploitation.

Mitigations include upgrading to version 4.15.3 or later, disabling email auto-linking, or restricting it to trusted IdPs with strict email verification.

Detection Guidance

This vulnerability is configuration-dependent and occurs when email auto-linking is enabled for a permissive external identity provider (IdP) that does not enforce email verification.

To detect if your system is vulnerable, check if your ZITADEL version is between 3.0.0 and 4.15.2 (inclusive) and if email auto-linking is enabled for external IdPs that allow unverified email sign-ups.

There are no specific network or system commands provided in the resources to detect exploitation attempts or the vulnerability directly.

However, you can audit your ZITADEL configuration by reviewing the settings related to external identity provider auto-linking and verifying the version of ZITADEL installed.

Mitigation Strategies

The primary mitigation is to upgrade ZITADEL to version 4.15.3 or later, where the vulnerability has been fixed.

If immediate upgrading is not possible, you should disable email auto-linking entirely or restrict it to trusted enterprise identity providers that enforce strict email verification policies.

These steps prevent attackers from linking accounts by exploiting unverified email addresses from permissive external IdPs.

Compliance Impact

This vulnerability allows an attacker to link their account to a victim's local account by exploiting the lack of verification of the external identity provider's confirmation of email ownership. This unauthorized account linking can lead to unauthorized access to personal data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user identity verification and protection of personal data.

The vulnerability is configuration-dependent and can be mitigated by disabling email auto-linking or restricting it to trusted identity providers with strict email verification policies, thereby reducing the risk of non-compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart