CVE-2026-32130 Overview
ZITADEL, an open source identity management platform, contains an authentication bypass vulnerability in its System for Cross-domain Identity Management (SCIM) API. The vulnerability affects versions from 2.68.0 to before 3.4.8 and 4.12.2. When requests are sent to the SCIM API with URL-encoded path values, the requests are correctly routed but bypass necessary authentication and permission checks. This allows unauthenticated attackers to retrieve sensitive information including names, email addresses, phone numbers, addresses, external IDs, and roles from the identity management system.
Critical Impact
Unauthenticated remote attackers can access sensitive user identity data through the SCIM API without any credentials, potentially exposing personally identifiable information (PII) of all users managed by the ZITADEL instance.
Affected Products
- ZITADEL versions 2.68.0 to before 3.4.8
- ZITADEL versions 4.x to before 4.12.2
Discovery Timeline
- March 11, 2026 - CVE-2026-32130 published to NVD
- March 12, 2026 - Last updated in NVD database
Technical Details for CVE-2026-32130
Vulnerability Analysis
This vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The SCIM API endpoint in ZITADEL is designed to allow external identity providers to provision users into the platform. However, the authentication middleware fails to properly validate requests when the URL path contains URL-encoded characters.
When a request reaches the SCIM endpoint with URL-encoded path segments (such as %2F instead of /), the routing layer correctly interprets and routes the request to the appropriate handler. However, the authentication and authorization checks that should be applied to these requests do not properly decode and validate the path, resulting in the request bypassing security controls entirely.
The impact is limited to read operations—attackers can retrieve user data but cannot modify or delete records due to additional integrity checks in the data manipulation layer.
Root Cause
The root cause is improper URL decoding handling in the authentication middleware. The routing logic and the authentication logic use different path normalization approaches, creating a discrepancy that allows attackers to craft requests that bypass authentication while still reaching protected endpoints. This is a common pattern in path traversal and authentication bypass vulnerabilities where different components handle URL encoding inconsistently.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to a vulnerable ZITADEL instance can exploit this vulnerability by sending specially crafted HTTP requests to the SCIM API endpoint with URL-encoded path values.
The attack flow involves:
- Identifying a ZITADEL instance exposing the SCIM API
- Crafting requests with URL-encoded path segments to bypass authentication
- Querying the SCIM endpoint to enumerate and extract user data including names, email addresses, phone numbers, physical addresses, external identifiers, and role assignments
Due to the nature of identity management platforms, a successful exploit could expose the entire user directory of an organization.
Detection Methods for CVE-2026-32130
Indicators of Compromise
- Unusual HTTP requests to SCIM API endpoints containing URL-encoded path characters such as %2F, %2E, or %5C
- High volume of unauthenticated requests to /scim/ or related identity management endpoints
- Access logs showing successful SCIM API responses without corresponding authentication events
- Data exfiltration patterns indicating bulk user enumeration through the SCIM interface
Detection Strategies
- Monitor web application logs for SCIM API requests containing percent-encoded characters in the URL path
- Implement anomaly detection for unauthenticated access patterns to identity management endpoints
- Correlate SCIM API access logs with authentication logs to identify requests that bypassed authentication
- Deploy Web Application Firewall (WAF) rules to detect and alert on URL-encoded path manipulation attempts
Monitoring Recommendations
- Enable detailed access logging on ZITADEL instances with request path and authentication status
- Configure alerts for high-frequency SCIM API queries from single IP addresses or unusual geographic locations
- Review historical SCIM API access logs for signs of prior exploitation before patching
How to Mitigate CVE-2026-32130
Immediate Actions Required
- Upgrade to ZITADEL version 3.4.8 or 4.12.2 immediately
- Review SCIM API access logs for evidence of exploitation
- Consider temporarily disabling the SCIM API if not actively used until patching is complete
- Implement network-level access controls to restrict SCIM API access to trusted identity providers
Patch Information
The vulnerability has been fixed in ZITADEL versions 3.4.8 and 4.12.2. Organizations should upgrade to these versions or later to remediate this vulnerability. For detailed release notes and upgrade instructions, refer to the Zitadel v3.4.8 Release or Zitadel v4.12.2 Release. Additional details are available in the GitHub Security Advisory GHSA-83pv-4xxp-rm2x.
Workarounds
- Restrict network access to the SCIM API using firewall rules or reverse proxy configurations
- Implement additional authentication at the network layer (VPN, IP allowlisting) for SCIM endpoint access
- Deploy a Web Application Firewall (WAF) with rules to normalize URL-encoded characters before routing
- If SCIM provisioning is not required, disable the SCIM API entirely until the system is upgraded
# Example: Block SCIM API access via iptables until patched
# Allow only trusted identity provider IP
iptables -A INPUT -p tcp --dport 443 -m string --string "/scim/" --algo bm -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m string --string "/scim/" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
