Cyber Resilience

CVE-2026-32132

High

Published: 11 March 2026

Published
11 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0005 14.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32132 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-32132 is a vulnerability in ZITADEL, an open source identity management platform, affecting versions prior to 3.4.8 and 4.12.2. The issue resides in the passkey registration endpoints, where an improper expiration check on previously retrieved codes allows unauthorized registration attempts. This flaw, classified under CWE-613 (Insufficient Session Expiration), has a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts from a network-based attack.

A remote attacker without privileges can exploit this vulnerability by obtaining a victim's passkey registration code and using it after its intended expiration to register their own passkey. Successful exploitation grants the attacker access to the victim's account, potentially enabling account takeover without user interaction, though it requires high attack complexity.

ZITADEL addressed this vulnerability in releases 3.4.8 and 4.12.2, as detailed in the project's GitHub release notes and security advisory (GHSA-2x66-r53r-9r86). Security practitioners should upgrade to these patched versions to mitigate the risk.

EU & UK References

Vulnerability details

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the…

more

code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Remote network exploitation of public-facing ZITADEL registration endpoints (T1190) due to insufficient expiration enables unauthorized addition of attacker-controlled passkey credentials to a victim account (T1098 Account Manipulation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64103Same product: Zitadel Zitadel
CVE-2026-32130Same product: Zitadel Zitadel
CVE-2026-29067Same product: Zitadel Zitadel
CVE-2026-29191Same product: Zitadel Zitadel
CVE-2025-64717Same product: Zitadel Zitadel
CVE-2026-29192Same product: Zitadel Zitadel
CVE-2026-32131Same product: Zitadel Zitadel
CVE-2026-29193Same product: Zitadel Zitadel
CVE-2025-27507Same product: Zitadel Zitadel
CVE-2025-53895Same product: Zitadel Zitadel

Affected Assets

zitadel
zitadel
≤ 3.4.8 · 4.0.0 — 4.12.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper management of authenticator issuance and registration processes, including validation of registration codes/tokens used for passkeys.

prevent

Enforces approved authorization rules at the passkey registration endpoint so that only non-expired codes may be used to register a new authenticator.

prevent

Mandates session/code termination after a defined period, directly addressing the missing expiration check on registration codes.

References