Primary

Context

Zitadel Identity Infrastructure Software User Enumeration Vulnerability

Vulnerability

Patched

A user enumeration vulnerability has been identified in Zitadel, an open-source identity infrastructure software. When the 'Ignoring unknown usernames' setting is enabled, Zitadel normalizes usernames during the login process. This normalization inadvertently discloses whether a username exists, despite the setting's intention to obscure such information. The vulnerability is present in Zitadel versions prior to 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.

Impact

Exploitation of this vulnerability allows for username enumeration, where an attacker can determine the existence of specific usernames within the Zitadel system.

Remediation

Users are advised to update Zitadel to version 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, or 2.63.9.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

8.2

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

8.2

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zitadel Identity Infrastructure Software User Enumeration Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Zitadel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating