Vulnerability Report: GO-2026-4319

CVE-2026-23511, GHSA-pvm5-9frx-264r
Affects: github.com/zitadel/zitadel
Published: Jan 23, 2026

Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v3.4.6, from v4.0.0 before v4.9.1.

For detailed information about this vulnerability, visit https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r or https://nvd.nist.gov/vuln/detail/CVE-2026-23511.

Affected Packages

Path

Versions

Symbols

Aliases

CVE-2026-23511
GHSA-pvm5-9frx-264r

References

https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r
https://nvd.nist.gov/vuln/detail/CVE-2026-23511
https://github.com/zitadel/zitadel/commit/0bb00dd9fc4e5e965f8e14fa2161a5076f3c308d
https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2
https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d
https://github.com/zitadel/zitadel/releases/tag/v3.4.6
https://github.com/zitadel/zitadel/releases/tag/v4.9.1
https://vuln.go.dev/ID/GO-2026-4319.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL