← Back

CVE-2024-49757

nvd nistnuclei
Published: Oct 25, 2024Modified: Aug 26, 2025

JSON object

Loading...
4.9
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Exploitability: 1.2 / Impact: 3.6
Source: NVD

Description

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

Affected (6)

Products: Zitadel: Zitadel
Zitadel
1 product
Zitadel
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Zitadel
Zitadel
Before 2.58.7
Zitadel
From 2.59.0 to 2.59.5
Zitadel
From 2.60.0 to 2.60.4
Zitadel
From 2.61.0 to 2.61.4
Zitadel
From 2.62.0 to 2.62.7
Zitadel
From 2.63.0 to 2.63.5

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (8)

Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
PatchVendor Advisory

Timeline

No history available yet.