PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56666 zitadel CVE debrief

A medium-severity vulnerability was found in ZITADEL, an open-source identity management platform. The external identity provider handler does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3. The vulnerability exists in ZITADEL's external identity provider handler. Prior to version 4.15.3, the handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email.

Vendor
zitadel
Product
Unknown
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of ZITADEL, especially those with external identity providers configured, should verify their configurations and update to version 4.15.3 to mitigate this vulnerability. This includes administrators and security teams responsible for managing ZITADEL deployments, as well as developers who may be impacted by the vulnerability.

Technical summary

The vulnerability exists in ZITADEL's external identity provider handler. Prior to version 4.15.3, the handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email. This allows a permissive provider account with a victim email address to be linked to the victim's local account. The CVSS score for this vulnerability is 4.8, indicating a medium severity.

Defensive priority

Medium priority should be given to updating ZITADEL to version 4.15.3, as the vulnerability allows for potential account linking issues with external identity providers.

Recommended defensive actions

  • Update ZITADEL to version 4.15.3 or later
  • Verify external identity provider configurations
  • Monitor for suspicious account linking activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-10T18:16:24.150Z and was last modified on 2026-07-10T18:56:43.823Z. The NVD entry is currently Deferred. The external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email. This allows a permissive provider account with a victim email address to be linked to the victim's local account. The CVSS score for this vulnerability is 4.8, indicating a medium severity. Users of ZITADEL, especially those with external identity providers configured, should verify their configurations and update to version 4.15.3 to mitigate this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T18:16:24.150Z and has not been modified since then. The NVD entry is currently Deferred.