Cyber Resilience

CVE-2026-29193

High

Published: 07 March 2026

Published
07 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0031 22.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29193 is a high-severity Improper Authentication (CWE-287) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-29193 is a vulnerability in ZITADEL, an open-source identity management platform, affecting versions 4.0.0 through 4.12.0. The flaw exists in the login V2 UI, which permits users to bypass enforced login behaviors and organizational security policies. This enables self-registration of new accounts or password-based sign-ins even when these features are explicitly disabled at the organization level. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-287 (Improper Authentication).

Unauthenticated remote attackers can exploit this issue over the network with low complexity and no user interaction required. By interacting directly with the login V2 UI, they can circumvent policy restrictions to create unauthorized accounts or authenticate via password, potentially compromising confidentiality through unauthorized access to sensitive identity data while introducing limited integrity risks.

The issue has been patched in ZITADEL version 4.12.1. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if…

more

corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

Auth bypass in public-facing IdP directly enables policy circumvention for account creation (T1136) and unauthorized password sign-in (T1078) by remote attackers (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64717Same product: Zitadel Zitadel
CVE-2025-64103Same product: Zitadel Zitadel
CVE-2026-29192Same product: Zitadel Zitadel
CVE-2026-32132Same product: Zitadel Zitadel
CVE-2026-29191Same product: Zitadel Zitadel
CVE-2026-32130Same product: Zitadel Zitadel
CVE-2026-29067Same product: Zitadel Zitadel
CVE-2026-32131Same product: Zitadel Zitadel
CVE-2025-31123Same product: Zitadel Zitadel
CVE-2025-27507Same product: Zitadel Zitadel

Affected Assets

zitadel
zitadel
4.0.0 — 4.12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations in the login UI, directly preventing bypass of organizational policies for self-registration and password authentication.

prevent

IA-2 mandates proper identification and authentication techniques for organizational users, mitigating improper authentication that allows unauthorized sign-ins despite disabled password options.

prevent

AC-2 manages account lifecycle processes, preventing unauthorized self-registration of new accounts when such features are organizationally disabled.

References