In Zitadel versions prior to 2.70.12, 2.71.10 and 3.2.2 a high severity vulnerability CVE-2025-48936 was detected. This vulnerability allows attackers to manipulate the Forwarded or X-Forwarded-Host headers to generate password reset links pointing to malicious domains. If users click these links, attackers could capture the embedded reset code and gain unauthorized access to their accounts. To address this issue, users should upgrade Zitadel to versions 2.70.12, 2.71.10 or 3.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48936.
Read more DevOps