ZITADEL Self-Management Verification Bypass Vulnerability

A vulnerability exists in ZITADEL's self-management feature, allowing users to falsely verify their email and phone numbers without undergoing the actual verification process. This issue is present in ZITADEL versions 4.0.0 through 4.11.0, 3.0.0 through 3.4.6, and 2.43.0 through 2.71.19. The flaw arises from an inadequate permission check in the API that manages user data, enabling users to claim ownership of contact information they do not control, potentially circumventing email-based security measures.

Impact

Exploiting this vulnerability could lead to unauthorized verification of email addresses and phone numbers, allowing users to bypass email verification security policies. While the vulnerability does not affect the ability to change contact information for other users, it does allow for self-verification of unowned email or phone numbers.

Remediation

Users can upgrade to ZITADEL versions 4.11.1, 3.4.7, or 2.71.19 to address this vulnerability. If an upgrade is not feasible, an action (v2) can be used to prevent setting the verification flag on one's own user account.