Home / Vulnerability Intelligence / CVE-2026-29067

CVE-2026-29067 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 9, 2026

ZITADEL - Open Redirect

Published: March 7, 2026Updated: March 9, 2026Remote Exploitable

Overview

ZITADEL 4.0.0-rc.1 to 4.7.0 contains an open redirect vulnerability caused by using untrusted Forwarded or X-Forwarded-Host headers to construct password reset confirmation URLs, letting attackers redirect users via crafted links, exploit requires sending crafted requests.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 1.1%(Probability of exploitation in next 30 days)

Impact

Attackers can redirect users to malicious sites via password reset links, potentially leading to phishing or credential theft.

Mitigation

Upgrade to version 4.7.1 or later.

References

https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-29067 - High (8.1) ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming r... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29067/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-29067
Severity: High
CVSS Score: 8.1
Type: open_redirect
Status: unconfirmed
EPSS: 1.1%
Social Posts: 1

CWE

CWE-601

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score

1.1%Probability of exploitation in the next 30 days