ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-90
ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

The National Vulnerability Database has disclosed CVE-2026-44671, a high-severity LDAP Filter Injection vulnerability in ZITADEL, an open-source identity management platform. Versions 2.71.11 up to 3.4.10 and 4.15.0 are affected. The flaw lies in ZITADEL’s LDAP identity provider, which fails to properly escape user-supplied usernames before incorporating them into LDAP search filters during the login process.

This vulnerability, while not a full authentication bypass, allows unauthenticated attackers to perform blind LDAP injection. By manipulating LDAP metacharacters like *, (, and ), attackers can observe differing login responses to systematically enumerate valid usernames. More critically, this can lead to the extraction of sensitive attribute data from connected LDAP directories, effectively turning a login prompt into an information disclosure vector.

Defenders must prioritize patching. The National Vulnerability Database confirms this issue is remediated in ZITADEL versions 3.4.10 and 4.15.0. Any organization leveraging ZITADEL’s LDAP identity provider within the affected version range is at risk of sensitive data exposure.

What This Means For You

  • If your organization uses ZITADEL with its LDAP identity provider, immediately verify your version. If you are running 2.71.11 through prior to 3.4.10 or 4.15.0, you are exposed. Patching to 3.4.10 or 4.15.0 is not optional — it's critical to prevent attackers from enumerating user accounts and exfiltrating sensitive LDAP attributes via unauthenticated blind injection.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1068 Exploitation for Privilege Escalation Privilege Escalation T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

ZITADEL LDAP Filter Injection Attempt (CVE-2026-44671)

Sigma YAML — free preview 
title: ZITADEL LDAP Filter Injection Attempt (CVE-2026-44671)
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-44671 in ZITADEL by looking for LDAP metacharacters like '(', ')', and '*' within the query parameters of login requests. This indicates a potential blind LDAP injection attack aimed at enumerating usernames or attributes.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44671/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: authentication
detection:
  selection:
      cs-uri-query|contains:
          - '(|'
          - '*)'
          - '())'
          - '(*)'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44671 LDAP Filter Injection ZITADEL versions 2.71.11 to before 3.4.10
CVE-2026-44671 LDAP Filter Injection ZITADEL versions 4.0.0 to before 4.15.0
CVE-2026-44671 Information Disclosure LDAP identity provider implementation fails to properly escape user-provided usernames
CVE-2026-44671 Auth Bypass Blind LDAP injection during login process to enumerate valid usernames and extract sensitive attribute data

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass

CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....

vulnerabilityCVEmedium-severityauthentication-bypasscwe-306
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-45370: python-utcp Exposes Process Secrets via Environment Variables

CVE-2026-45370 — python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess....

vulnerabilityCVEhigh-severitycwe-526
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 3 IOCs /⚙ 2 Sigma