CVE-2026-32132

7.4 HIGH
Published: March 11, 2026 Modified: March 16, 2026
View on NVD

Description

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow an attacker to potentially register their own passkey and gain access to the victim's account. This vulnerability is fixed in 3.4.8 and 4.12.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/zitadel/zitadel/releases/tag/v3.4.8
Source: security-advisories@github.com
Product
https://github.com/zitadel/zitadel/releases/tag/v4.12.2
Source: security-advisories@github.com
Product
https://github.com/zitadel/zitadel/security/advisories/GHSA-2x66-r53r-9r86
Source: security-advisories@github.com
Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.4 / 10.0
EPSS (Exploit Probability)
0.0%
12th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-613

Affected Vendors

zitadel

Related CVEs

CVE-2026-4497 7.3
CVE-2026-4496 5.3
CVE-2026-33010 8.1
CVE-2026-32710 8.5
CVE-2026-32318 7.6