{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T14:10:28.024","vulnerabilities":[{"cve":{"id":"CVE-2025-31124","sourceIdentifier":"security-advisories@github.com","published":"2025-03-31T20:15:15.707","lastModified":"2025-08-26T17:15:41.330","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report \"Username or Password invalid\". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9."},{"lang":"es","value":"Zitadel es un software de infraestructura de identidad de código abierto. Los administradores de ZITADEL pueden habilitar la configuración \"Ignorar nombres de usuario desconocidos\", que ayuda a mitigar los ataques que intentan adivinar o enumerar nombres de usuario. Si se habilita, ZITADEL mostrará la solicitud de contraseña incluso si el usuario no existe e informará \"Nombre de usuario o contraseña no válidos\". Si bien la configuración se respetó correctamente durante el inicio de sesión, el nombre de usuario se normalizó, lo que reveló su existencia. Esta vulnerabilidad está corregida en las versiones 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6 y 2.63.9."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-203"},{"lang":"en","value":"CWE-204"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionEndExcluding":"2.63.9","matchCriteriaId":"1B2AF1D0-3069-4836-9BF4-229A6CC269EA"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.64.0","versionEndExcluding":"2.64.6","matchCriteriaId":"D7142F7F-9380-4C7B-A48F-D4A86F5F9759"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.65.0","versionEndExcluding":"2.65.7","matchCriteriaId":"DE6B033C-D29A-4AFE-B836-F1763E7844F2"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.66.0","versionEndExcluding":"2.66.16","matchCriteriaId":"5DD1E62B-7DDC-474E-A100-5B0569F5B8FE"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.67.0","versionEndExcluding":"2.67.13","matchCriteriaId":"E0D9F074-8DBB-4FFC-A104-B33B902FDD02"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.68.0","versionEndExcluding":"2.68.9","matchCriteriaId":"8DE6D67C-182B-4F08-B4A8-D24A0FD2B66B"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.69.0","versionEndExcluding":"2.69.9","matchCriteriaId":"A2723F26-27EE-4EA2-845D-93DFA3D2B3F0"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.70.0","versionEndExcluding":"2.70.8","matchCriteriaId":"FC6090EB-53CF-43AC-AB5B-D51AA2A539C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.71.0","versionEndExcluding":"2.71.6","matchCriteriaId":"3FD8F27A-ED3D-4674-8D57-F348A320A17B"}]}]}],"references":[{"url":"https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.63.9","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.64.6","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.65.7","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.66.16","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.67.13","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.68.9","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.69.9","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.70.8","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.71.6","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}