CVE-2026-32130
Published: 11 March 2026
Summary
CVE-2026-32130 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-32130 is an authentication bypass vulnerability in the System for Cross-domain Identity Management (SCIM) API of ZITADEL, an open source identity management platform. The issue affects versions from 2.68.0 up to but not including 3.4.8 and 4.12.2. Specifically, requests to the SCIM API using URL-encoded path values are correctly routed by the server but evade required authentication and permission checks, stemming from CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.
Unauthenticated remote attackers can exploit this vulnerability with low complexity by sending specially crafted URL-encoded requests to the SCIM API endpoints. Successful exploitation allows retrieval of sensitive user information, including names, email addresses, phone numbers, addresses, external IDs, and roles. However, additional server-side checks prevent attackers from modifying or deleting user data through these bypassed paths.
ZITADEL has addressed the vulnerability in releases 3.4.8 and 4.12.2, as detailed in the project's security advisory (GHSA-83pv-4xxp-rm2x) and corresponding release notes. Security practitioners should upgrade affected instances to these patched versions to mitigate the risk of unauthorized data exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11409
Vulnerability details
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path…
more
values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing SCIM API directly enables T1190 (remote unauth exploit of exposed app) and facilitates T1087 (retrieval of account details including names, emails, roles without auth).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to sensitive user data via SCIM API endpoints, directly preventing bypass through URL-encoded alternate paths.
Validates and sanitizes URL-encoded path inputs to the SCIM API, blocking malformed requests that evade authentication and permission checks.
Identifies, reports, and remediates the specific flaw in ZITADEL's SCIM API routing logic that allows authentication bypass, as fixed in patched versions 3.4.8 and 4.12.2.