+ "details": "### Summary\n\nA vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton.\n\n### Impact\n\nZitadel enables administrators to configure their organization’s login behavior and security policies. As part of this functionality, they can disable user self-registration, enforce passwordless logins only, and more.\n\nDue to improper enforcement an attacker could send direct HTTP requests to the login UI and create accounts in organizations that have disabled user self-registration, and gain unauthorized access to the system.\nThe same attack vector could be used to authenticate for example using username and password even when this login method was disabled.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n- **4.x**: `4.0.0` through `4.12.0` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by enforcing the policies on the logiin UI server.\n\n4.x: Upgrade to >=[4.12.1](https://github.com/zitadel/zitadel/releases/tag/v4.12.1)\n\n### Workarounds\n\nThe recommended solution is to upgrade to a patched version.\n\n### Questions\n\nIf there are any questions or comments about this advisory, please send an email to [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits \n\nZITADEL extends thanks once again to Amit Laish from GE Vernova for finding and reporting the vulnerability.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments