CVE-2026-29193 Overview
CVE-2026-29193 is an authentication bypass vulnerability in ZITADEL, an open source identity management platform. The vulnerability exists in Zitadel's login V2 UI and allows malicious users to bypass login behavior and security policies. Attackers can exploit this flaw to self-register new accounts or sign in using password authentication even when these options have been explicitly disabled in their organization's security configuration.
Critical Impact
Unauthorized users can bypass organization security policies to create accounts or authenticate via password, potentially gaining unauthorized access to protected resources and compromising organizational security controls.
Affected Products
- ZITADEL versions 4.0.0 through 4.12.0
- ZITADEL Login V2 UI component
Discovery Timeline
- 2026-03-07 - CVE-2026-29193 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29193
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) affects the login V2 UI component in ZITADEL identity management platform. The flaw allows attackers to circumvent organization-level security policies that are designed to control user registration and authentication methods.
When an organization administrator disables self-registration or password-based authentication through ZITADEL's administrative interface, these restrictions should be enforced at the login layer. However, due to improper enforcement in the login V2 UI, users can bypass these restrictions and either create new accounts when self-registration is disabled or authenticate using passwords when only alternative authentication methods (such as SSO or passwordless) are permitted.
The vulnerability is particularly concerning for organizations that rely on ZITADEL to enforce strict authentication policies, such as requiring single sign-on (SSO) for all users or preventing unauthorized account creation in enterprise environments.
Root Cause
The root cause of this vulnerability is improper authentication enforcement in the login V2 UI component. The login interface fails to properly validate and enforce organization-level security policies before processing authentication or registration requests. This creates a disconnect between the configured security policies and their actual enforcement, allowing users to perform actions that should be prohibited by administrative settings.
Attack Vector
The vulnerability is exploitable remotely over the network without requiring any prior authentication or user interaction. An attacker with knowledge of this vulnerability can:
- Access the ZITADEL login V2 UI endpoint
- Bypass disabled self-registration to create unauthorized accounts within an organization
- Authenticate using password credentials when password authentication has been disabled in favor of more secure methods
The attack does not require special privileges or complex techniques, making it accessible to unsophisticated attackers. Organizations that have disabled certain authentication methods for compliance or security reasons may unknowingly be exposed to authentication vectors they believed were restricted.
Detection Methods for CVE-2026-29193
Indicators of Compromise
- Unexpected new user accounts appearing in organizations where self-registration is disabled
- Authentication logs showing password-based logins when password authentication should be disabled
- User registration events occurring outside normal administrative account creation workflows
- Login activity from the V2 UI that bypasses expected authentication flows (e.g., SSO redirects)
Detection Strategies
- Review ZITADEL audit logs for user registration events that occur when self-registration policies are set to disabled
- Monitor authentication events for password-based logins in organizations configured for SSO-only or passwordless authentication
- Implement alerting on unexpected account creation patterns or authentication method anomalies
- Compare configured organization policies against actual authentication behavior in logs
Monitoring Recommendations
- Enable comprehensive audit logging for all authentication and registration events in ZITADEL
- Configure alerts for any authentication method usage that contradicts organization policy settings
- Regularly audit user accounts to identify any unauthorized registrations
- Monitor the login V2 UI endpoints for suspicious activity patterns
How to Mitigate CVE-2026-29193
Immediate Actions Required
- Upgrade ZITADEL to version 4.12.1 or later immediately
- Audit all user accounts created during the vulnerable period (versions 4.0.0 to 4.12.0) to identify unauthorized registrations
- Review authentication logs to detect any policy bypass incidents
- Consider temporarily restricting access to the login V2 UI while upgrading if immediate patching is not possible
Patch Information
ZITADEL has released version 4.12.1 which addresses this authentication bypass vulnerability. Organizations running any version from 4.0.0 through 4.12.0 should upgrade immediately.
For detailed patch information and release notes, refer to the ZITADEL GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, consider implementing additional network-level controls to restrict access to the login V2 UI
- Deploy a web application firewall (WAF) with rules to detect and block suspicious registration or authentication attempts
- Implement additional identity verification for newly created accounts until the patch can be applied
- Consider reverting to login V1 UI if available and not affected by this vulnerability
# Verify your ZITADEL version
zitadel version
# Upgrade to patched version 4.12.1
# Follow your deployment method (Docker, Kubernetes, or binary)
# Example for Docker:
docker pull ghcr.io/zitadel/zitadel:v4.12.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
