Primary

Context

ZITADEL Passkey Registration Code Validation Vulnerability Allowing Account Takeover

Vulnerability

Patched

A vulnerability in ZITADEL's passkey registration endpoints prior to versions 3.4.8 and 4.12.2 allows an attacker to register a passkey using an expired code. The flaw arises from an improper expiration check, which could enable an attacker to reset the expiration window of a code and register their own passkey, gaining access to the victim's account. This issue affects ZITADEL versions 4.0.0 through 4.12.1, 3.0.0 through 3.4.7, and all 2.x versions up to 2.71.19.

Impact

Exploitation of this vulnerability could lead to unauthorized access to a victim's account by allowing an attacker to register a passkey for the account, effectively taking over the account.

Remediation

Users can upgrade to ZITADEL versions 4.12.2 or 3.4.8 to address this vulnerability. Instructions for downloading these versions are available on the ZITADEL GitHub Releases page.

Added: Mar 11, 2026, 10:37 PM

Updated: Mar 11, 2026, 10:37 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.3

exploitability

5.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.3

exploitability

5.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ZITADEL Passkey Registration Code Validation Vulnerability Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

ZITADEL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating