CVE-2026-29193
Published: 07 March 2026
Summary
CVE-2026-29193 is a high-severity Improper Authentication (CWE-287) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations in the login UI, directly preventing bypass of organizational policies for self-registration and password authentication.
IA-2 mandates proper identification and authentication techniques for organizational users, mitigating improper authentication that allows unauthorized sign-ins despite disabled password options.
AC-2 manages account lifecycle processes, preventing unauthorized self-registration of new accounts when such features are organizationally disabled.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing IdP directly enables policy circumvention for account creation (T1136) and unauthorized password sign-in (T1078) by remote attackers (T1190).
NVD Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if…
more
corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.
Deeper analysisAI
CVE-2026-29193 is a vulnerability in ZITADEL, an open-source identity management platform, affecting versions 4.0.0 through 4.12.0. The flaw exists in the login V2 UI, which permits users to bypass enforced login behaviors and organizational security policies. This enables self-registration of new accounts or password-based sign-ins even when these features are explicitly disabled at the organization level. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-287 (Improper Authentication).
Unauthenticated remote attackers can exploit this issue over the network with low complexity and no user interaction required. By interacting directly with the login V2 UI, they can circumvent policy restrictions to create unauthorized accounts or authenticate via password, potentially compromising confidentiality through unauthorized access to sensitive identity data while introducing limited integrity risks.
The issue has been patched in ZITADEL version 4.12.1. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8.
Details
- CWE(s)