Cyber Resilience

CVE-2026-32130

High

Published: 11 March 2026

Published
11 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0026 49.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32130 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32130 is an authentication bypass vulnerability in the System for Cross-domain Identity Management (SCIM) API of ZITADEL, an open source identity management platform. The issue affects versions from 2.68.0 up to but not including 3.4.8 and 4.12.2. Specifically, requests to the SCIM API using URL-encoded path values are correctly routed by the server but evade required authentication and permission checks, stemming from CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.

Unauthenticated remote attackers can exploit this vulnerability with low complexity by sending specially crafted URL-encoded requests to the SCIM API endpoints. Successful exploitation allows retrieval of sensitive user information, including names, email addresses, phone numbers, addresses, external IDs, and roles. However, additional server-side checks prevent attackers from modifying or deleting user data through these bypassed paths.

ZITADEL has addressed the vulnerability in releases 3.4.8 and 4.12.2, as detailed in the project's security advisory (GHSA-83pv-4xxp-rm2x) and corresponding release notes. Security practitioners should upgrade affected instances to these patched versions to mitigate the risk of unauthorized data exposure.

EU & UK References

Vulnerability details

ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path…

more

values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1087 Account Discovery Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
Why these techniques?

Authentication bypass in public-facing SCIM API directly enables T1190 (remote unauth exploit of exposed app) and facilitates T1087 (retrieval of account details including names, emails, roles without auth).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64103Same product: Zitadel Zitadel
CVE-2026-29067Same product: Zitadel Zitadel
CVE-2026-32132Same product: Zitadel Zitadel
CVE-2026-29191Same product: Zitadel Zitadel
CVE-2025-64717Same product: Zitadel Zitadel
CVE-2026-29192Same product: Zitadel Zitadel
CVE-2026-29193Same product: Zitadel Zitadel
CVE-2026-32131Same product: Zitadel Zitadel
CVE-2026-44671Same product: Zitadel Zitadel
CVE-2025-53895Same product: Zitadel Zitadel

Affected Assets

zitadel
zitadel
2.68.0 — 3.4.8 · 4.0.0 — 4.12.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to sensitive user data via SCIM API endpoints, directly preventing bypass through URL-encoded alternate paths.

prevent

Validates and sanitizes URL-encoded path inputs to the SCIM API, blocking malformed requests that evade authentication and permission checks.

prevent

Identifies, reports, and remediates the specific flaw in ZITADEL's SCIM API routing logic that allows authentication bypass, as fixed in patched versions 3.4.8 and 4.12.2.

References