Common Weakness Enumeration

CWE-90

Allowed

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

114 vulnerabilities reference this CWE, most recent first.

GHSA-PCVX-8R6M-5H8R

Vulnerability from github – Published: 2025-09-17 18:31 – Updated: 2025-09-17 18:31
VLAI
Details

CISA Thorium does not escape user controlled strings used in LDAP queries. An authenticated remote attacker can modify LDAP authorization data such as group memberships. Fixed in 1.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-35431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T17:15:43Z",
    "severity": "MODERATE"
  },
  "details": "CISA Thorium does not escape user controlled strings used in LDAP queries. An authenticated remote attacker can modify LDAP authorization data such as group memberships. Fixed in 1.1.1.",
  "id": "GHSA-pcvx-8r6m-5h8r",
  "modified": "2025-09-17T18:31:18Z",
  "published": "2025-09-17T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35431"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c#diff-45e1e58dfb6faacf9efe778c31ead287d8e13ae07c5dad084c792bc4a0605a68R1007-R1008"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/thorium/releases/tag/1.1.1"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-35431"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PG32-686Q-QH6X

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-29 23:02
VLAI
Summary
Apache CXF has an LDAP injection vulnerability
Details

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-29T23:02:03Z",
    "nvd_published_at": "2026-05-22T13:16:22Z",
    "severity": "CRITICAL"
  },
  "details": "An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.\u00a0\nUsers are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.",
  "id": "GHSA-pg32-686q-qh6x",
  "modified": "2026-06-29T23:02:03Z",
  "published": "2026-05-26T13:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44930"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/cxf"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/22/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache CXF has an LDAP injection vulnerability"
}

GHSA-PM9M-75P4-7H69

Vulnerability from github – Published: 2025-01-30 00:31 – Updated: 2025-02-11 00:31
VLAI
Details

When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-29T22:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.",
  "id": "GHSA-pm9m-75p4-7h69",
  "modified": "2025-02-11T00:31:47Z",
  "published": "2025-01-30T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54852"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXCQ-C9PX-MH7P

Vulnerability from github – Published: 2026-07-09 15:32 – Updated: 2026-07-09 15:32
VLAI
Details

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in PEAKUP Technology Inc. PassGate allows LDAP Injection.

This issue affects PassGate: through 30042026.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T14:16:32Z",
    "severity": "HIGH"
  },
  "details": "Improper neutralization of special elements used in an LDAP query (\u0027LDAP injection\u0027) vulnerability in PEAKUP Technology Inc. PassGate allows LDAP Injection.\n\nThis issue affects PassGate: through 30042026.",
  "id": "GHSA-pxcq-c9px-mh7p",
  "modified": "2026-07-09T15:32:34Z",
  "published": "2026-07-09T15:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4256"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0523"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6JP-29Q3-RWXV

Vulnerability from github – Published: 2025-09-09 12:30 – Updated: 2025-11-05 00:31
VLAI
Details

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat .

The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary script execution.

This issue affects Apache HertzBeat: through 1.7.2.

Users are recommended to upgrade to version [1.7.3], which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T10:15:33Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027) vulnerability in Apache HertzBeat .\n\n\n\n\n\n\n\n\n\n\n\n\nThe attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary script execution.\n\nThis issue affects Apache HertzBeat: through 1.7.2.\n\nUsers are recommended to upgrade to version [1.7.3], which fixes the issue.",
  "id": "GHSA-q6jp-29q3-rwxv",
  "modified": "2025-11-05T00:31:26Z",
  "published": "2025-09-09T12:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48208"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/3zrr3oo67pxxx7wgzj80kglltfshngn2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/06/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8P8-X4X3-FVQM

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-22 15:31
VLAI
Details

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33609"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:54Z",
    "severity": "MODERATE"
  },
  "details": "Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.",
  "id": "GHSA-q8p8-x4x3-fvqm",
  "modified": "2026-04-22T15:31:44Z",
  "published": "2026-04-22T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33609"
    },
    {
      "type": "WEB",
      "url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QMR3-52XF-WMHX

Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-05-02 14:46
VLAI
Summary
Apache Zeppelin: LDAP search filter query Injection Vulnerability
Details

Improper Input Validation vulnerability in Apache Zeppelin.

The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.zeppelin:zeppelin-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.2"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-90"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T22:00:52Z",
    "nvd_published_at": "2024-04-09T17:16:03Z",
    "severity": "MODERATE"
  },
  "details": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.",
  "id": "GHSA-qmr3-52xf-wmhx",
  "modified": "2024-05-02T14:46:22Z",
  "published": "2024-04-09T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/zeppelin/pull/4714"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/zeppelin/commit/65d0bcc1ee8ec3ec372d0a71ab513cd20e6522a0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/zeppelin"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/04/09/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Zeppelin: LDAP search filter query Injection Vulnerability"
}

GHSA-QW6J-957M-52HG

Vulnerability from github – Published: 2025-04-07 15:31 – Updated: 2025-04-07 15:31
VLAI
Details

Dell Unisphere for PowerMax, version(s) prior to 10.2.0.9 and PowerMax version(s) prior to PowerMax 9.2.4.15, contain an Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-07T14:15:24Z",
    "severity": "LOW"
  },
  "details": "Dell Unisphere for PowerMax, version(s) prior to 10.2.0.9 and PowerMax version(s) prior to PowerMax 9.2.4.15, contain an Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027) vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.",
  "id": "GHSA-qw6j-957m-52hg",
  "modified": "2025-04-07T15:31:21Z",
  "published": "2025-04-07T15:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27686"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-ao/000302223/dsa-2025-111-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-and-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R89M-QPXM-CCGX

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-01T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.",
  "id": "GHSA-r89m-qpxm-ccgx",
  "modified": "2022-05-24T19:03:41Z",
  "published": "2022-05-24T19:03:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RXVX-HHPJ-Q6PX

Vulnerability from github – Published: 2026-05-08 17:11 – Updated: 2026-05-15 23:47
VLAI
Summary
ZITADEL has LDAP Filter Injection in Login Flow
Details

Summary

A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.

Impact

While this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as *, (, )) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory.

Note that an authentication bypass is not possible.

Affected Versions

Systems integrating LDAP as IdPs and running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.14.0 (including RC versions)
  • 3.x: 3.1.0 through 3.4.9
  • 2.x: 2.71.11 through 2.71.19

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.

Workarounds

The recommended solution is to upgrade to a patched version. If an immediate upgrade is not possible, developers should ensure their project's LDAP directory has strict access controls to limit the scope of information disclosure.

Questions

If there are any questions or comments about this advisory, please send an email to security@zitadel.com

Credits

This vulnerability was identified and reported by ProScan AppSec (https://proscan.one/).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.14.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.71.11"
            },
            {
              "last_affected": "2.71.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.9"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T17:11:29Z",
    "nvd_published_at": "2026-05-14T22:16:44Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA vulnerability was discovered in Zitadel\u0027s LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.\n\n## Impact\n\nWhile this vulnerability does not allow for a full authentication bypass, an attacker can use LDAP metacharacters (such as `*`, `(`, `)`) to perform blind LDAP injection. By observing the different failure (or success) responses, an attacker can systematically enumerate valid usernames and extract sensitive attribute data from the connected LDAP directory.\n\nNote that an authentication bypass is not possible.\n\n## Affected Versions\n\nSystems integrating LDAP as IdPs and running one of the following versions are affected:\n\n- **4.x**: `4.0.0` through `4.14.0` (including RC versions)\n- **3.x**: `3.1.0` through `3.4.9`\n- **2.x**: `2.71.11` through `2.71.19`\n\n## Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address, resp. phone number itself.\n\n- **4.x**: Upgrade to \u003e=[4.15.0](https://github.com/zitadel/zitadel/releases/tag/v4.15.0)\n- **3.x**: Update to \u003e=[3.4.10](https://github.com/zitadel/zitadel/releases/tag/v3.4.10)\n- **2.x**: Update to \u003e=[3.4.10](https://github.com/zitadel/zitadel/releases/tag/v3.4.10)\n\n## Workarounds\n\nThe recommended solution is to upgrade to a patched version. If an immediate upgrade is not possible, developers should ensure their project\u0027s LDAP directory has strict access controls to limit the scope of information disclosure.\n\n## Questions\n\nIf there are any questions or comments about this advisory, please send an email to [security@zitadel.com](mailto:security@zitadel.com)\n\n## Credits\n\nThis vulnerability was identified and reported by **ProScan AppSec** ([https://proscan.one/](https://proscan.one)).",
  "id": "GHSA-rxvx-hhpj-q6px",
  "modified": "2026-05-15T23:47:17Z",
  "published": "2026-05-08T17:11:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-rxvx-hhpj-q6px"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44671"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ZITADEL has LDAP Filter Injection in Login Flow"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-136: LDAP Injection

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.