Zitadel Multi-Factor Authentication Bypass Vulnerability

A vulnerability in Zitadel's authentication process allows users to bypass multi-factor authentication (MFA) requirements. This issue affects Zitadel versions 2.53.6, 2.54.3, 2.55.0, and all versions in the 3.x and 4.x series prior to the patched releases. The vulnerability arises because Zitadel only enforced MFA when specific login policy requirements were enabled. As a result, users who had set up MFA without these requirements could have their sessions authenticated with just a single factor, undermining the security of accounts with two-factor authentication enabled. Exploiting this vulnerability allows attackers to bypass password verification and directly target the TOTP code, potentially compromising accounts.

Impact

Exploiting this vulnerability weakens the multi-factor authentication process, allowing attackers to bypass the more secure authentication factors and directly access accounts with two-factor authentication enabled.

Reproduction

To reproduce this vulnerability, log into a Zitadel account that has multi-factor authentication set up, but without the 'requireMFA' or 'requireMFAForLocalUsers' policy enabled. Once logged in, the session will be authenticated with just the single factor, bypassing the password verification entirely. This can be verified by accessing the session API, where the session will be considered valid without the need for multiple authentication factors.

Remediation

Users are advised to update Zitadel to version 4.6.0, 3.4.3, or 2.71.18, where this vulnerability has been patched.