Product
ZITADEL's LDAP identity provider implementation fails to properly escape user-provided usernames before incorporating them into LDAP search filters, allowing unauthenticated attackers to perform LDAP Filter Injection to enumerate usernames and extract sensitive attribute data.