CVE-2024-49757

HIGH NUCLEI

Zitadel <2.64.0-2.58.7 - Auth Bypass

Title source: llm

Description

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

Nuclei Templates (1)

Zitadel - User Registration Bypass

HIGHVERIFIEDby Sujal Tuladhar

Shodan: title:"Zitadel"

References (8)

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.58.7

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.59.5

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.60.4

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.61.4

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.62.7

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.63.5

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.64.0

[Patch, Vendor Advisory] https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc

Scores

CVSS v3 7.5

EPSS 0.1077

EPSS Percentile 93.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-287

Status published

Products (2)

zitadel/zitadel < 2.58.7

zitadel/zitadel 2.63.0 - 2.63.5Go

Published Oct 25, 2024

Tracked Since Feb 18, 2026