CVE-2026-29067
Published: 07 March 2026
Summary
CVE-2026-29067 is a high-severity Open Redirect (CWE-601) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs like Forwarded and X-Forwarded-Host headers at entry points to prevent construction of malicious password reset confirmation URLs.
Directly remediates the flaw in ZITADEL's login V2 password reset mechanism by identifying, testing, and applying patches such as version 4.7.1.
Enforces restrictions on information inputs at system boundaries to block or whitelist invalid host values in headers used for password reset link generation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing ZITADEL password reset flow is directly exploited via crafted unauthenticated requests manipulating Forwarded/X-Forwarded-Host (T1190); this poisons the emailed reset link so the victim is directed to attacker-controlled domain to capture the secret code (T1566.002).
NVD Description
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for…
more
the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.
Deeper analysisAI
CVE-2026-29067 is a vulnerability in ZITADEL, an open source identity management platform, affecting versions from 4.0.0-rc.1 to 4.7.0. The issue resides in the login V2 password reset mechanism, where ZITADEL relies on the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, which includes a secret code, is then emailed to the user for verification. The flaw corresponds to CWE-601, involving open redirects via untrusted headers.
An attacker with network access can exploit this vulnerability without authentication by sending a crafted request to the password reset endpoint, manipulating the Forwarded or X-Forwarded-Host header to redirect the confirmation link to a malicious domain under their control. This requires user interaction, as the victim must click the phishing-like link in the email (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Successful exploitation allows the attacker to capture the secret code, enabling unauthorized password resets and potential account takeover with high confidentiality and integrity impacts.
The vulnerability has been addressed in ZITADEL version 4.7.1. For full details on the patch and mitigation recommendations, refer to the GitHub security advisory at https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5.
Details
- CWE(s)