CVE-2026-56666
ZITADEL: Auto-linking by email: IdP-side email verification is not checked
CVSS Score
4.8
EPSS Score
0.2%
EPSS Percentile
9th
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.
| CWE | CWE-287 |
| Vendor | zitadel |
| Product | zitadel |
| Published | Jul 10, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for zitadel zitadel
Be the first to know when new medium vulnerabilities affecting zitadel zitadel are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
zitadel / zitadel
< 4.15.3