{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T20:24:47.894","vulnerabilities":[{"cve":{"id":"CVE-2026-29067","sourceIdentifier":"security-advisories@github.com","published":"2026-03-07T15:15:54.890","lastModified":"2026-03-10T17:58:23.663","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1."},{"lang":"es","value":"ZITADEL es una plataforma de gestión de identidades de código abierto. Desde la versión 4.0.0-rc.1 hasta la 4.7.0, existe una potencial vulnerabilidad en el mecanismo de restablecimiento de contraseña de ZITADEL en el inicio de sesión V2. ZITADEL utiliza el encabezado Forwarded o X-Forwarded-Host de las solicitudes entrantes para construir la URL del enlace de confirmación de restablecimiento de contraseña. Este enlace, que contiene un código secreto, se envía luego por correo electrónico al usuario. Este problema ha sido parcheado en la versión 4.7.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-601"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.7.1","matchCriteriaId":"E1B051D6-969F-4B70-BF3F-AFD77FB00251"}]}]}],"references":[{"url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}