Back to overview

CVE-2026-56666

MEDIUM
4.8
CVSS 3.1
Description
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.

Metadata

CVE ID
CVE-2026-56666
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-22 16:39 UTC
Published
2026-07-10 17:37 UTC
Last updated
2026-07-10 17:37 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
zitadel / zitadel
Sources
cve.org  ·  NVD

Severity & Metrics

4.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
zitadel zitadel < 4.15.3
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287: Improper Authentication
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
References (3)
Back to overview