Cyber Resilience

CVE-2026-44671

High

Published: 14 May 2026

Published
14 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 29.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44671 is a high-severity LDAP Injection (CWE-90) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Domain Account (T1087.002); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This…

more

allows unauthenticated attackers to perform LDAP Filter Injection during the login process. While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This vulnerability is fixed in 3.4.10 and 4.15.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1087.002 Domain Account Discovery
Adversaries may attempt to get a listing of domain accounts.
Why these techniques?

LDAP filter injection enables enumeration of valid domain usernames and attribute data extraction from the directory service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32130Same product: Zitadel Zitadel
CVE-2026-29192Same product: Zitadel Zitadel
CVE-2025-53895Same product: Zitadel Zitadel
CVE-2026-32131Same product: Zitadel Zitadel
CVE-2026-29067Same product: Zitadel Zitadel
CVE-2026-29193Same product: Zitadel Zitadel
CVE-2025-31123Same product: Zitadel Zitadel
CVE-2026-29191Same product: Zitadel Zitadel
CVE-2025-64717Same product: Zitadel Zitadel
CVE-2025-64103Same product: Zitadel Zitadel

Affected Assets

zitadel
zitadel
2.71.11 — 3.4.10 · 4.0.0 — 4.15.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References