Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32130

CVE-2026-32130: ZITADEL SCIM API Auth Bypass Vulnerability

CVE-2026-32130 is an authentication bypass flaw in ZITADEL's SCIM API that allows unauthenticated attackers to access sensitive user information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-32130 Overview

ZITADEL, an open source identity management platform, contains an authentication bypass vulnerability in its System for Cross-domain Identity Management (SCIM) API. The vulnerability affects versions from 2.68.0 to before 3.4.8 and 4.12.2. When requests are sent to the SCIM API with URL-encoded path values, the requests are correctly routed but bypass necessary authentication and permission checks. This allows unauthenticated attackers to retrieve sensitive information including names, email addresses, phone numbers, addresses, external IDs, and roles from the identity management system.

Critical Impact

Unauthenticated remote attackers can access sensitive user identity data through the SCIM API without any credentials, potentially exposing personally identifiable information (PII) of all users managed by the ZITADEL instance.

Affected Products

  • ZITADEL versions 2.68.0 to before 3.4.8
  • ZITADEL versions 4.x to before 4.12.2

Discovery Timeline

  • March 11, 2026 - CVE-2026-32130 published to NVD
  • March 12, 2026 - Last updated in NVD database

Technical Details for CVE-2026-32130

Vulnerability Analysis

This vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The SCIM API endpoint in ZITADEL is designed to allow external identity providers to provision users into the platform. However, the authentication middleware fails to properly validate requests when the URL path contains URL-encoded characters.

When a request reaches the SCIM endpoint with URL-encoded path segments (such as %2F instead of /), the routing layer correctly interprets and routes the request to the appropriate handler. However, the authentication and authorization checks that should be applied to these requests do not properly decode and validate the path, resulting in the request bypassing security controls entirely.

The impact is limited to read operations—attackers can retrieve user data but cannot modify or delete records due to additional integrity checks in the data manipulation layer.

Root Cause

The root cause is improper URL decoding handling in the authentication middleware. The routing logic and the authentication logic use different path normalization approaches, creating a discrepancy that allows attackers to craft requests that bypass authentication while still reaching protected endpoints. This is a common pattern in path traversal and authentication bypass vulnerabilities where different components handle URL encoding inconsistently.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to a vulnerable ZITADEL instance can exploit this vulnerability by sending specially crafted HTTP requests to the SCIM API endpoint with URL-encoded path values.

The attack flow involves:

  1. Identifying a ZITADEL instance exposing the SCIM API
  2. Crafting requests with URL-encoded path segments to bypass authentication
  3. Querying the SCIM endpoint to enumerate and extract user data including names, email addresses, phone numbers, physical addresses, external identifiers, and role assignments

Due to the nature of identity management platforms, a successful exploit could expose the entire user directory of an organization.

Detection Methods for CVE-2026-32130

Indicators of Compromise

  • Unusual HTTP requests to SCIM API endpoints containing URL-encoded path characters such as %2F, %2E, or %5C
  • High volume of unauthenticated requests to /scim/ or related identity management endpoints
  • Access logs showing successful SCIM API responses without corresponding authentication events
  • Data exfiltration patterns indicating bulk user enumeration through the SCIM interface

Detection Strategies

  • Monitor web application logs for SCIM API requests containing percent-encoded characters in the URL path
  • Implement anomaly detection for unauthenticated access patterns to identity management endpoints
  • Correlate SCIM API access logs with authentication logs to identify requests that bypassed authentication
  • Deploy Web Application Firewall (WAF) rules to detect and alert on URL-encoded path manipulation attempts

Monitoring Recommendations

  • Enable detailed access logging on ZITADEL instances with request path and authentication status
  • Configure alerts for high-frequency SCIM API queries from single IP addresses or unusual geographic locations
  • Review historical SCIM API access logs for signs of prior exploitation before patching

How to Mitigate CVE-2026-32130

Immediate Actions Required

  • Upgrade to ZITADEL version 3.4.8 or 4.12.2 immediately
  • Review SCIM API access logs for evidence of exploitation
  • Consider temporarily disabling the SCIM API if not actively used until patching is complete
  • Implement network-level access controls to restrict SCIM API access to trusted identity providers

Patch Information

The vulnerability has been fixed in ZITADEL versions 3.4.8 and 4.12.2. Organizations should upgrade to these versions or later to remediate this vulnerability. For detailed release notes and upgrade instructions, refer to the Zitadel v3.4.8 Release or Zitadel v4.12.2 Release. Additional details are available in the GitHub Security Advisory GHSA-83pv-4xxp-rm2x.

Workarounds

  • Restrict network access to the SCIM API using firewall rules or reverse proxy configurations
  • Implement additional authentication at the network layer (VPN, IP allowlisting) for SCIM endpoint access
  • Deploy a Web Application Firewall (WAF) with rules to normalize URL-encoded characters before routing
  • If SCIM provisioning is not required, disable the SCIM API entirely until the system is upgraded
bash
# Example: Block SCIM API access via iptables until patched
# Allow only trusted identity provider IP
iptables -A INPUT -p tcp --dport 443 -m string --string "/scim/" --algo bm -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m string --string "/scim/" --algo bm -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.