Cyber Resilience

CVE-2026-29067

High

Published: 07 March 2026

Published
07 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0032 23.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29067 is a high-severity Open Redirect (CWE-601) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29067 is a vulnerability in ZITADEL, an open source identity management platform, affecting versions from 4.0.0-rc.1 to 4.7.0. The issue resides in the login V2 password reset mechanism, where ZITADEL relies on the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, which includes a secret code, is then emailed to the user for verification. The flaw corresponds to CWE-601, involving open redirects via untrusted headers.

An attacker with network access can exploit this vulnerability without authentication by sending a crafted request to the password reset endpoint, manipulating the Forwarded or X-Forwarded-Host header to redirect the confirmation link to a malicious domain under their control. This requires user interaction, as the victim must click the phishing-like link in the email (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Successful exploitation allows the attacker to capture the secret code, enabling unauthorized password resets and potential account takeover with high confidentiality and integrity impacts.

The vulnerability has been addressed in ZITADEL version 4.7.1. For full details on the patch and mitigation recommendations, refer to the GitHub security advisory at https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for…

more

the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Vuln in public-facing ZITADEL password reset flow is directly exploited via crafted unauthenticated requests manipulating Forwarded/X-Forwarded-Host (T1190); this poisons the emailed reset link so the victim is directed to attacker-controlled domain to capture the secret code (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64103Same product: Zitadel Zitadel
CVE-2026-32132Same product: Zitadel Zitadel
CVE-2026-32130Same product: Zitadel Zitadel
CVE-2026-29191Same product: Zitadel Zitadel
CVE-2025-64717Same product: Zitadel Zitadel
CVE-2026-32131Same product: Zitadel Zitadel
CVE-2026-29193Same product: Zitadel Zitadel
CVE-2026-29192Same product: Zitadel Zitadel
CVE-2025-27507Same product: Zitadel Zitadel
CVE-2025-31123Same product: Zitadel Zitadel

Affected Assets

zitadel
zitadel
4.0.0 — 4.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs like Forwarded and X-Forwarded-Host headers at entry points to prevent construction of malicious password reset confirmation URLs.

prevent

Directly remediates the flaw in ZITADEL's login V2 password reset mechanism by identifying, testing, and applying patches such as version 4.7.1.

prevent

Enforces restrictions on information inputs at system boundaries to block or whitelist invalid host values in headers used for password reset link generation.

References