๐Ÿ” CVE Alert

CVE-2026-56666

MEDIUM 4.8

ZITADEL: Auto-linking by email: IdP-side email verification is not checked

CVSS Score
4.8
EPSS Score
0.2%
EPSS Percentile
9th

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.

CWE CWE-287
Vendor zitadel
Product zitadel
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for zitadel zitadel

Be the first to know when new medium vulnerabilities affecting zitadel zitadel are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

zitadel / zitadel
< 4.15.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/zitadel/zitadel/security/advisories/GHSA-992q-9gwp-7r79 github.com: https://github.com/zitadel/zitadel/commit/c97012f0c5dc2fe960ae6e940cbea23229f0557f github.com: https://github.com/zitadel/zitadel/releases/tag/v4.15.3