CVE-2024-49757

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/releases/tag/v2.58.7	Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.59.5	Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.60.4	Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.61.4	Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.62.7	Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.63.5	Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.64.0	Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::

History

26 Aug 2025, 16:31

Type	Values Removed	Values Added
References	~~() https://github.com/zitadel/zitadel/releases/tag/v2.58.7 -~~	() https://github.com/zitadel/zitadel/releases/tag/v2.58.7 - Release Notes
References	~~() https://github.com/zitadel/zitadel/releases/tag/v2.59.5 -~~	() https://github.com/zitadel/zitadel/releases/tag/v2.59.5 - Release Notes
References	~~() https://github.com/zitadel/zitadel/releases/tag/v2.60.4 -~~	() https://github.com/zitadel/zitadel/releases/tag/v2.60.4 - Release Notes
References	~~() https://github.com/zitadel/zitadel/releases/tag/v2.61.4 -~~	() https://github.com/zitadel/zitadel/releases/tag/v2.61.4 - Release Notes
References	~~() https://github.com/zitadel/zitadel/releases/tag/v2.62.7 -~~	() https://github.com/zitadel/zitadel/releases/tag/v2.62.7 - Release Notes
References	~~() https://github.com/zitadel/zitadel/releases/tag/v2.63.5 -~~	() https://github.com/zitadel/zitadel/releases/tag/v2.63.5 - Release Notes
References	~~() https://github.com/zitadel/zitadel/releases/tag/v2.64.0 -~~	() https://github.com/zitadel/zitadel/releases/tag/v2.64.0 - Release Notes
References	~~() https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc -~~	() https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc - Vendor Advisory, Patch
CPE		cpe:2.3:a:zitadel:zitadel::::::::
First Time		Zitadel Zitadel zitadel

Information

Published : 2024-10-25 15:15

Updated : 2025-08-26 16:31

NVD link : CVE-2024-49757

Mitre link : CVE-2024-49757

CVE.ORG link : CVE-2024-49757

JSON object : View

Products Affected

zitadel

zitadel

CWE

CWE-287

Improper Authentication

7.5 /10