CVE-2026-32132
Published: 11 March 2026
Summary
CVE-2026-32132 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-32132 is a vulnerability in ZITADEL, an open source identity management platform, affecting versions prior to 3.4.8 and 4.12.2. The issue resides in the passkey registration endpoints, where an improper expiration check on previously retrieved codes allows unauthorized registration attempts. This flaw, classified under CWE-613 (Insufficient Session Expiration), has a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts from a network-based attack.
A remote attacker without privileges can exploit this vulnerability by obtaining a victim's passkey registration code and using it after its intended expiration to register their own passkey. Successful exploitation grants the attacker access to the victim's account, potentially enabling account takeover without user interaction, though it requires high attack complexity.
ZITADEL addressed this vulnerability in releases 3.4.8 and 4.12.2, as detailed in the project's GitHub release notes and security advisory (GHSA-2x66-r53r-9r86). Security practitioners should upgrade to these patched versions to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11412
Vulnerability details
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the…
more
code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of public-facing ZITADEL registration endpoints (T1190) due to insufficient expiration enables unauthorized addition of attacker-controlled passkey credentials to a victim account (T1098 Account Manipulation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper management of authenticator issuance and registration processes, including validation of registration codes/tokens used for passkeys.
Enforces approved authorization rules at the passkey registration endpoint so that only non-expired codes may be used to register a new authenticator.
Mandates session/code termination after a defined period, directly addressing the missing expiration check on registration codes.