{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zitadel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ZITADEL (4.0.0 - 4.14.0)","ZITADEL (2.71.11 - 2.71.19)","ZITADEL (3.1.0 - 3.4.9)"],"_cs_severities":["high"],"_cs_tags":["ldap-injection","information-disclosure","zitadel"],"_cs_type":"advisory","_cs_vendors":["ZITADEL"],"content_html":"\u003cp\u003eA vulnerability has been identified in ZITADEL\u0026rsquo;s LDAP identity provider implementation. The application fails to adequately escape user-provided usernames before incorporating them into LDAP search filters during the login process. This flaw enables unauthenticated attackers to perform LDAP Filter Injection, potentially leading to information disclosure. Versions affected include ZITADEL 4.0.0 through 4.14.0, 3.1.0 through 3.4.9, and 2.71.11 through 2.71.19. Successful exploitation allows an attacker to enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. While a full authentication bypass is not possible, the systematic enumeration of usernames poses a significant risk. The vulnerability was reported by ProScan AppSec.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker initiates a login attempt to the ZITADEL instance via the web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker provides a username containing LDAP metacharacters (e.g., \u003ccode\u003e*\u003c/code\u003e, \u003ccode\u003e(\u003c/code\u003e, \u003ccode\u003e)\u003c/code\u003e) crafted to perform LDAP injection.\u003c/li\u003e\n\u003cli\u003eZITADEL\u0026rsquo;s LDAP identity provider receives the crafted username without proper sanitization or escaping.\u003c/li\u003e\n\u003cli\u003eThe application incorporates the malicious username into an LDAP search filter.\u003c/li\u003e\n\u003cli\u003eThe crafted LDAP query is executed against the connected LDAP directory.\u003c/li\u003e\n\u003cli\u003eThe LDAP directory processes the malicious query, potentially disclosing information or causing errors.\u003c/li\u003e\n\u003cli\u003eZITADEL relays the LDAP response back to the user interface.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the success or failure responses to enumerate valid usernames and extract attribute data through blind LDAP injection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory. This could lead to unauthorized access to sensitive information, privilege escalation, or further attacks against the organization. Although a full authentication bypass is not possible, the information gained through this vulnerability can be used to facilitate other malicious activities. The exact number of affected organizations is currently unknown, but any organization using ZITADEL with LDAP integration within the specified version ranges is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ZITADEL to version 4.15.0 or later, 3.4.10 or later, or 2.71.20 or later to remediate the LDAP injection vulnerability as documented in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LDAP Injection Attempts via ZITADEL Login\u0026rdquo; to identify potential exploitation attempts in webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for suspicious characters in usernames during login attempts that may indicate LDAP injection attempts, as shown in the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and harden LDAP directory access controls to limit the scope of information disclosure in case of successful exploitation, as recommended in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T17:11:29Z","date_published":"2026-05-08T17:11:29Z","id":"/briefs/2026-05-zitadel-ldap-injection/","summary":"ZITADEL's LDAP identity provider implementation fails to properly escape user-provided usernames before incorporating them into LDAP search filters, allowing unauthenticated attackers to perform LDAP Filter Injection to enumerate usernames and extract sensitive attribute data.","title":"ZITADEL LDAP Filter Injection Vulnerability in Login Flow","url":"https://feed.craftedsignal.io/briefs/2026-05-zitadel-ldap-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Zitadel","version":"https://jsonfeed.org/version/1.1"}