216.73.217.176

CVE-2026-27946

· Published 26/02/2026 01:16 · Modified 27/02/2026 14:06

Labels: CVE-2026-27946 2026-02-26CVE-2026-27946CWE-862[email protected]

Essential information

Published
26/02/2026 01:16
Modified
27/02/2026 14:06
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
zitadel / zitadel cpe:2.3:a:zitadel:zitadel:4.11.1:*:*:*:*:*:*:*
zitadel / zitadel cpe:2.3:a:zitadel:zitadel:3.4.7:*:*:*:*:*:*:*
zitadel / zitadel cpe:2.3:a:zitadel:zitadel:<4.11.1:*:*:*:*:*:*
zitadel / zitadel cpe:2.3:a:zitadel:zitadel:<3.4.7:*:*:*:*:*:*

References