Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32132

CVE-2026-32132: ZITADEL Auth Bypass Vulnerability

CVE-2026-32132 is an authentication bypass flaw in ZITADEL that allows attackers to register unauthorized passkeys and gain account access. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-32132 Overview

CVE-2026-32132 is an authentication bypass vulnerability in ZITADEL, an open source identity management platform. The vulnerability exists in ZITADEL's passkey registration endpoints, where an improper expiration check of registration codes could allow an attacker to register their own passkey using a previously retrieved code and gain unauthorized access to a victim's account.

Critical Impact

Attackers can potentially bypass authentication and take over user accounts by exploiting improper code expiration validation in passkey registration endpoints.

Affected Products

  • ZITADEL versions prior to 3.4.8
  • ZITADEL versions prior to 4.12.2

Discovery Timeline

  • 2026-03-11 - CVE-2026-32132 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-32132

Vulnerability Analysis

This vulnerability falls under CWE-613 (Insufficient Session Expiration), which relates to improper handling of session or token expiration. In this case, ZITADEL's passkey registration flow fails to properly validate the expiration timestamp of registration codes before allowing a new passkey to be registered.

The passkey registration process in ZITADEL involves retrieving a one-time code that authorizes the registration of a new authentication credential. Under normal circumstances, this code should have a limited validity window to prevent misuse. However, due to insufficient expiration validation, an attacker who obtains or intercepts a registration code could use it beyond its intended validity period.

Root Cause

The root cause is an improper expiration check within the passkey registration endpoint logic. The code responsible for validating registration codes does not adequately verify whether the code has exceeded its intended time-to-live (TTL) before processing the registration request. This allows expired codes to remain functional, extending the attack window for potential exploitation.

Attack Vector

The attack vector is network-based with high complexity, requiring no privileges or user interaction. An attacker would need to:

  1. Obtain a valid passkey registration code through interception, social engineering, or other means
  2. Wait until after the code's intended expiration (when the legitimate user may have abandoned the registration process)
  3. Use the expired code to register their own passkey to the victim's account
  4. Authenticate as the victim using the newly registered passkey

The vulnerability is exploitable remotely over the network. The high attack complexity stems from the requirement to obtain a valid registration code before it would normally expire, and timing the attack appropriately. However, once exploited, the attacker gains full access to the victim's account with high confidentiality and integrity impact.

Detection Methods for CVE-2026-32132

Indicators of Compromise

  • Passkey registrations occurring significantly after the initial code generation timestamp
  • Multiple passkey registration attempts using the same registration code
  • Passkey registrations from unexpected IP addresses or geographic locations
  • Authentication events from newly registered passkeys that don't match the user's typical behavior patterns

Detection Strategies

  • Implement logging of all passkey registration events including timestamps, source IPs, and associated registration codes
  • Create alerts for passkey registrations that occur more than a configurable threshold after code generation
  • Monitor for multiple authentication devices being registered to a single account in rapid succession
  • Correlate passkey registration events with user session activity to identify anomalous registrations

Monitoring Recommendations

  • Enable detailed audit logging for all identity management operations in ZITADEL
  • Set up real-time alerting for passkey registration events, particularly for privileged accounts
  • Review registered passkeys periodically to identify any unauthorized credentials
  • Implement user notifications when new passkeys are registered to their account

How to Mitigate CVE-2026-32132

Immediate Actions Required

  • Upgrade ZITADEL to version 3.4.8 or later for the 3.x branch
  • Upgrade ZITADEL to version 4.12.2 or later for the 4.x branch
  • Audit existing passkey registrations for any suspicious activity
  • Consider requiring re-authentication for all users after applying the patch

Patch Information

ZITADEL has released security patches that address this vulnerability. Users should upgrade to one of the following fixed versions:

For complete technical details, refer to the GitHub Security Advisory GHSA-2x66-r53r-9r86.

Workarounds

  • Temporarily disable passkey registration functionality if immediate patching is not possible
  • Implement additional network-level controls to restrict access to passkey registration endpoints
  • Enable enhanced monitoring and alerting on passkey registration activities
  • Consider implementing additional authentication factors for passkey registration workflows until patched

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.