CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-56666

mediumCVSS 4.8covered by 1 sourcefirst seen 2026-07-10
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.

⚡ Watch CVE-2026-56666

Get an email if CVE-2026-56666 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-56666

CVE.org record

Embed the live status

CVE-2026-56666 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-56666 status](https://www.csirts.com/badge/CVE-2026-56666)](https://www.csirts.com/cve/CVE-2026-56666)