CVE-2026-27946
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
| CWE | CWE-862 |
| Vendor | zitadel |
| Product | zitadel |
| Published | Feb 26, 2026 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for zitadel zitadel
Be the first to know when new unknown vulnerabilities affecting zitadel zitadel are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
zitadel / zitadel
>= 4.0.0, < 4.11.0 < 3.4.7