CVE-2026-27946 in Zitadel
Summary
by MITRE • 02/26/2026
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability identified as CVE-2026-27946 affects ZITADEL, an open source identity management platform that serves as a comprehensive solution for authentication and user management. This security flaw resides within the platform's self-management capabilities, specifically targeting the verification mechanisms for user email addresses and phone numbers. The vulnerability represents a critical weakness in the platform's access control and identity verification processes, potentially allowing unauthorized users to bypass legitimate verification procedures.
The technical flaw manifests in the improper handling of verification flags within ZITADEL's user management system. Prior to the patched versions 4.11.1 and 3.4.7, the platform allowed users to directly set their email and phone verification flags to true without requiring any actual verification steps. This design flaw essentially enabled privilege escalation through social engineering or direct manipulation of the user management interface. The vulnerability aligns with CWE-284, which addresses improper access control, and specifically relates to inadequate permission checks during user attribute modifications. Attackers could exploit this weakness to mark arbitrary email addresses and phone numbers as verified, potentially enabling account takeover scenarios or bypassing security controls that depend on verified contact information.
The operational impact of this vulnerability extends beyond simple identity verification bypasses and creates significant security risks for organizations relying on ZITADEL for user authentication. The ability to mark email addresses and phone numbers as verified without proper validation undermines the integrity of the entire identity management system, potentially allowing malicious actors to assume legitimate user identities or circumvent multi-factor authentication requirements. This vulnerability particularly affects systems where verified contact information serves as a security boundary for account recovery processes, password resets, or privileged access controls. The flaw creates an attack surface that aligns with ATT&CK technique T1566, which covers social engineering tactics, and T1078, which addresses valid accounts as a means of gaining access to systems.
The remediation implemented in versions 4.11.1 and 3.4.7 addresses the core issue by enforcing proper permission checks when verification flags are modified. The patch ensures that users cannot directly set verification flags without appropriate authorization, requiring that the verification flag can only be set through legitimate verification processes rather than direct manipulation. Additionally, the update restricts self-management capabilities to only allow modification of the email address and/or phone number itself, not the verification status. Organizations unable to immediately upgrade can implement a workaround through action v2, which prevents the setting of verification flags on user accounts. This mitigation approach aligns with security best practices for vulnerability remediation and demonstrates the importance of proper access control implementation in identity management systems. The fix represents a fundamental improvement in the platform's security posture and helps maintain the integrity of user identity verification processes that are critical for maintaining secure authentication systems.