Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVE-2026-44671

Low

0/10

Summary

A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process. This issue affects versions from 2.71.11 through 2.71.19, 3.1.0 through 3.4.9 and 4.0.0 through 4.14.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

References

Advisory

Advisory Timeline

Published May 14, 2026

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVE-2026-44671

Summary

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS