Knock Knock, Who's There? Unmasking User Enumeration in ZITADEL
Jan 15, 2026·7 min read·2 visits
Executive Summary (TL;DR)
ZITADEL versions prior to 4.9.1 and 3.4.6 were too honest for their own good. The application leaked user existence through inconsistent error handling in password reset flows and failed UI logic. If you sent a password reset request for a valid user, the system behaved differently than for an invalid one—leaking metadata via error messages or even the presence of password complexity policies. The fix? Lying to the user. The system now returns generic responses regardless of whether the account exists.
ZITADEL, a popular open-source identity management platform, suffered from a logic flaw that allowed unauthenticated attackers to confirm the existence of valid user accounts. By analyzing subtle discrepancies in error messages and UI behavior during password reset and login flows, attackers could harvest UserIDs and usernames, bypassing the platform's 'Ignore Unknown Usernames' security setting.
Fix Analysis (2)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
ZITADEL ZITADEL | >= 4.0.0, <= 4.9.0 | 4.9.1 |
ZITADEL ZITADEL | >= 3.0.0, <= 3.4.5 | 3.4.6 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-204 |
| Attack Vector | Network (API/Web) |
| CVSS | 5.3 (Medium) |
| Privileges Required | None |
| Impact | Confidentiality (Metadata) |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
Observable Response Discrepancy