CVE-2026-32130
Published: 11 March 2026
Summary
CVE-2026-32130 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
Users can identify logons via alternate paths or channels by reviewing the previous logon time.
Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths.
Centralized IdPs close alternate authentication paths that enable bypass.
Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.
Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing SCIM API directly enables T1190 (remote unauth exploit of exposed app) and facilitates T1087 (retrieval of account details including names, emails, roles without auth).
NVD Description
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path…
more
values were correctly routed but would bypass necessary authentication and permission checks. This allowed unauthenticated attackers to retrieve sensitive information such as names, email addresses, phone numbers, addresses, external IDs, and roles. Note that due to additional checks when manipulating data, an attacker could not modify or delete any user data. This vulnerability is fixed in 3.4.8 and 4.12.2.
Deeper analysisAI
CVE-2026-32130 is an authentication bypass vulnerability in the System for Cross-domain Identity Management (SCIM) API of ZITADEL, an open source identity management platform. The issue affects versions from 2.68.0 up to but not including 3.4.8 and 4.12.2. Specifically, requests to the SCIM API using URL-encoded path values are correctly routed by the server but evade required authentication and permission checks, stemming from CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.
Unauthenticated remote attackers can exploit this vulnerability with low complexity by sending specially crafted URL-encoded requests to the SCIM API endpoints. Successful exploitation allows retrieval of sensitive user information, including names, email addresses, phone numbers, addresses, external IDs, and roles. However, additional server-side checks prevent attackers from modifying or deleting user data through these bypassed paths.
ZITADEL has addressed the vulnerability in releases 3.4.8 and 4.12.2, as detailed in the project's security advisory (GHSA-83pv-4xxp-rm2x) and corresponding release notes. Security practitioners should upgrade affected instances to these patched versions to mitigate the risk of unauthorized data exposure.
Details
- CWE(s)