ZITADEL LDAP Filter Injection CVE-2026-44671 Allows Unauthenticated

Executive Summary

An unauthenticated LDAP filter injection vulnerability in ZITADEL, the open-source identity and access management platform, allows attackers to manipulate LDAP search queries during login. Tracked as CVE-2026-44671 with a CVSS score of 7.5 (High), the flaw stems from the platform's failure to escape user-supplied usernames before interpolating them into LDAP search filters. An attacker can inject arbitrary LDAP filter syntax — including wildcards — to bypass authentication or enumerate valid user entries. Affected are all ZITADEL deployments running versions 2.71.11 through 3.4.10, and any 4.x release prior to 4.15.0. The maintainers released fixes in versions 3.4.10 and 4.15.0 on 2026-05-14, according to the project's GitHub release notes.

Technical Analysis

ZITADEL supports LDAP as an external identity provider, allowing organizations to authenticate users against existing directory services such as Microsoft Active Directory or OpenLDAP. The vulnerability exists in the LDAP identity provider implementation, specifically in how the platform constructs the search filter used to look up the authenticating user.

When a user attempts to log in via an LDAP identity provider, ZITADEL takes the submitted username and embeds it directly into an LDAP search filter without proper sanitization or escaping. According to the advisory published by the ZITADEL team, the filter is built by concatenating a static prefix — typically (&(objectClass=person)(uid= — with the raw username string, followed by a closing parenthesis. An attacker can supply a username containing LDAP filter metacharacters such as *, |, &, or ! to alter the filter's logic.

For example, submitting a username of *)(uid=*))(|(uid=* would close the existing filter and inject a new disjunction that matches any user entry in the directory. This effectively bypasses authentication because the modified filter returns the first matching record regardless of whether the attacker knows the actual username or password. The same injection vector can be used to perform blind LDAP enumeration, revealing the existence of specific user accounts by observing differences in login response times or error messages.

The vulnerability is exploitable without any prior authentication — the injection occurs at the login prompt before any password verification takes place. The CVSS 7.5 rating reflects the low attack complexity (no special privileges or user interaction required) and the high potential impact on confidentiality and integrity, though availability is not directly affected.

The ZITADEL team credited an external security researcher (name not publicly disclosed) for reporting the issue through the project's responsible disclosure process. The fix introduces proper escaping of LDAP filter special characters using the standard LDAP escape function, which prepends a backslash to characters such as (, ), *, \, and NUL before incorporating the username into the filter string.

Mitigations & Recommendations

Organizations running ZITADEL with LDAP identity providers should upgrade to version 3.4.10 or 4.15.0 immediately. For deployments that cannot upgrade promptly, administrators can temporarily mitigate the risk by disabling LDAP identity providers in ZITADEL and switching to alternative authentication methods such as OIDC or SAML, if available. Additionally, network-level restrictions that limit outbound LDAP traffic from the ZITADEL server to only trusted directory servers can reduce the blast radius of a successful injection, though they do not prevent the vulnerability from being triggered.