CVE-2026-32132 Overview
CVE-2026-32132 is an authentication bypass vulnerability in ZITADEL, an open source identity management platform. The vulnerability exists in ZITADEL's passkey registration endpoints, where an improper expiration check of registration codes could allow an attacker to register their own passkey using a previously retrieved code and gain unauthorized access to a victim's account.
Critical Impact
Attackers can potentially bypass authentication and take over user accounts by exploiting improper code expiration validation in passkey registration endpoints.
Affected Products
- ZITADEL versions prior to 3.4.8
- ZITADEL versions prior to 4.12.2
Discovery Timeline
- 2026-03-11 - CVE-2026-32132 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32132
Vulnerability Analysis
This vulnerability falls under CWE-613 (Insufficient Session Expiration), which relates to improper handling of session or token expiration. In this case, ZITADEL's passkey registration flow fails to properly validate the expiration timestamp of registration codes before allowing a new passkey to be registered.
The passkey registration process in ZITADEL involves retrieving a one-time code that authorizes the registration of a new authentication credential. Under normal circumstances, this code should have a limited validity window to prevent misuse. However, due to insufficient expiration validation, an attacker who obtains or intercepts a registration code could use it beyond its intended validity period.
Root Cause
The root cause is an improper expiration check within the passkey registration endpoint logic. The code responsible for validating registration codes does not adequately verify whether the code has exceeded its intended time-to-live (TTL) before processing the registration request. This allows expired codes to remain functional, extending the attack window for potential exploitation.
Attack Vector
The attack vector is network-based with high complexity, requiring no privileges or user interaction. An attacker would need to:
- Obtain a valid passkey registration code through interception, social engineering, or other means
- Wait until after the code's intended expiration (when the legitimate user may have abandoned the registration process)
- Use the expired code to register their own passkey to the victim's account
- Authenticate as the victim using the newly registered passkey
The vulnerability is exploitable remotely over the network. The high attack complexity stems from the requirement to obtain a valid registration code before it would normally expire, and timing the attack appropriately. However, once exploited, the attacker gains full access to the victim's account with high confidentiality and integrity impact.
Detection Methods for CVE-2026-32132
Indicators of Compromise
- Passkey registrations occurring significantly after the initial code generation timestamp
- Multiple passkey registration attempts using the same registration code
- Passkey registrations from unexpected IP addresses or geographic locations
- Authentication events from newly registered passkeys that don't match the user's typical behavior patterns
Detection Strategies
- Implement logging of all passkey registration events including timestamps, source IPs, and associated registration codes
- Create alerts for passkey registrations that occur more than a configurable threshold after code generation
- Monitor for multiple authentication devices being registered to a single account in rapid succession
- Correlate passkey registration events with user session activity to identify anomalous registrations
Monitoring Recommendations
- Enable detailed audit logging for all identity management operations in ZITADEL
- Set up real-time alerting for passkey registration events, particularly for privileged accounts
- Review registered passkeys periodically to identify any unauthorized credentials
- Implement user notifications when new passkeys are registered to their account
How to Mitigate CVE-2026-32132
Immediate Actions Required
- Upgrade ZITADEL to version 3.4.8 or later for the 3.x branch
- Upgrade ZITADEL to version 4.12.2 or later for the 4.x branch
- Audit existing passkey registrations for any suspicious activity
- Consider requiring re-authentication for all users after applying the patch
Patch Information
ZITADEL has released security patches that address this vulnerability. Users should upgrade to one of the following fixed versions:
- Version 3.4.8 - GitHub Release v3.4.8
- Version 4.12.2 - GitHub Release v4.12.2
For complete technical details, refer to the GitHub Security Advisory GHSA-2x66-r53r-9r86.
Workarounds
- Temporarily disable passkey registration functionality if immediate patching is not possible
- Implement additional network-level controls to restrict access to passkey registration endpoints
- Enable enhanced monitoring and alerting on passkey registration activities
- Consider implementing additional authentication factors for passkey registration workflows until patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
