x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-pvm5-9frx-264r

[GoVulnBot]

Advisory GHSA-pvm5-9frx-264r references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:

Summary

A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.

Impact

The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint.
By submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system's response.

For an effective exploit the a...

References:

• ADVISORY: GHSA-pvm5-9frx-264r
• ADVISORY: GHSA-pvm5-9frx-264r
• FIX: zitadel/zitadel@0bb00dd
• FIX: zitadel/zitadel@b85ab69
• WEB: https://github.com/zitadel/zitadel/releases/tag/v3.4.6
• WEB: https://github.com/zitadel/zitadel/releases/tag/v4.9.1

Cross references:

• github.com/zitadel/zitadel appears in 32 other report(s):
  • data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
  • data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
  • data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
  • data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
  • data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
  • data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
  • data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
  • data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
  • data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
  • data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)
  • data/reports/GO-2024-3014.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014)
  • data/reports/GO-2024-3015.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015)
  • data/reports/GO-2024-3137.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-2w5j-qfvw-2hf5 #3137)
  • data/reports/GO-2024-3138.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-jj94-6f5c-65r8 #3138)
  • data/reports/GO-2024-3139.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-qr2h-7pwm-h393 #3139)
  • data/reports/GO-2024-3216.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49753 #3216)
  • data/reports/GO-2024-3217.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217)
  • data/reports/GO-2025-3499.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499)
  • data/reports/GO-2025-3671.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671)
  • data/reports/GO-2025-3721.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-93m4-mfpg-c3xf #3721)
  • data/reports/GO-2025-4083.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-cfjq-28r2-4jv5 #4083)
  • data/reports/GO-2025-4084.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-mwmh-7px9-4c23 #4084)
  • data/reports/GO-2025-4085.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-xrw9-r35x-x878 #4085)
  • data/reports/GO-2025-4099.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-cpf4-pmr4-w6cx #4099)
  • data/reports/GO-2025-4124.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-j4g7-v4m4-77px #4124)
  • data/reports/GO-2025-4210.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-7wfc-4796-gmg5 #4210)
  • data/reports/GO-2025-4212.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-pfrf-9r5f-73f5 #4212)
  • data/reports/GO-2025-4213.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-v959-qxv6-6f8p #4213)
  • data/reports/GO-2025-4227.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f4cf-9rvr-2rcx #4227)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      non_go_versions:
        - introduced: TODO (earliest fixed "3.4.6", vuln range "<= 3.4.5")
        - introduced: TODO (earliest fixed "4.9.1", vuln range ">= 4.0.0, <= 4.9.0")
      vulnerable_at: 1.87.5
summary: Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel
cves:
    - CVE-2026-23511
ghsas:
    - GHSA-pvm5-9frx-264r
references:
    - advisory: https://github.com/advisories/GHSA-pvm5-9frx-264r
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r
    - fix: https://github.com/zitadel/zitadel/commit/0bb00dd9fc4e5e965f8e14fa2161a5076f3c308d
    - fix: https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2
    - web: https://github.com/zitadel/zitadel/releases/tag/v3.4.6
    - web: https://github.com/zitadel/zitadel/releases/tag/v4.9.1
notes:
    - fix: 'module merge error: could not merge versions of module github.com/zitadel/zitadel: invalid or non-canonical semver version (found TODO (earliest fixed "3.4.6", vuln range "<= 3.4.5"))'
source:
    id: GHSA-pvm5-9frx-264r
    created: 2026-01-15T19:01:24.77291915Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/736920 mentions this issue: data/reports: add 15 reports