CVE-2026-29191
Received Received - Intake
Cross-Site Scripting in ZITADEL Login V2 Enables Account Takeover

Publication date: 2026-03-07

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-10
Generated
2026-05-07
AI Q&A
2026-03-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29191
EUVD
EUVD-2026-10148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zitadel zitadel From 4.0.0 (inc) to 4.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-29191 is a critical vulnerability in Zitadel versions 4.0.0 through 4.11.1 affecting the /saml-post HTTP endpoint, which handles SAML Identity Provider requests.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the endpoint accepts two GET parameters, `url` and `id`, and automatically submits an HTTP POST request to the specified `url` without proper validation. This allows an attacker to specify a `javascript:` scheme that executes arbitrary JavaScript in users' browsers."}, {'type': 'paragraph', 'content': 'Additionally, the endpoint reflects user-supplied input in server responses without HTML encoding, enabling injection of arbitrary HTML and further JavaScript execution (Cross-Site Scripting, XSS).'}, {'type': 'paragraph', 'content': "An unauthenticated remote attacker can exploit these XSS flaws to execute malicious JavaScript on Zitadel users' browsers, potentially resetting victims' passwords and taking over their accounts."}, {'type': 'paragraph', 'content': 'Accounts protected by Multi-Factor Authentication (MFA) or Passwordless authentication are not vulnerable to this attack vector.'}, {'type': 'paragraph', 'content': 'The issue was fixed in Zitadel version 4.12.0 by removing the /saml-post endpoint and redesigning SAML IdP integration.'}] [1]


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'This vulnerability can allow an unauthenticated remote attacker to execute arbitrary JavaScript in the browsers of Zitadel users.'}, {'type': 'paragraph', 'content': "The attacker can exploit this to reset victims' passwords and take over their accounts, leading to unauthorized access and control."}, {'type': 'paragraph', 'content': 'However, accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled are protected against this attack.'}, {'type': 'paragraph', 'content': 'The vulnerability does not require Zitadel to be configured with a SAML Identity Provider and is exploitable in default installations, increasing the risk.'}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability affects the /saml-post HTTP endpoint in Zitadel versions 4.0.0 through 4.11.1. Detection involves checking if your Zitadel instance is running a vulnerable version and if the /saml-post endpoint is accessible.'}, {'type': 'paragraph', 'content': 'You can attempt to detect the vulnerability by sending crafted HTTP requests to the /saml-post endpoint with suspicious parameters such as a javascript: scheme in the url parameter to see if the server reflects or redirects without proper validation.'}, {'type': 'list_item', 'content': "Use curl to test the /saml-post endpoint for improper redirection or reflection: curl -v 'https://your-zitadel-domain/saml-post?url=javascript:alert(1)&id=test'"}, {'type': 'list_item', 'content': 'Check server responses for reflected input or unexpected JavaScript execution in the response body.'}, {'type': 'list_item', 'content': 'Scan your Zitadel version by querying the application or checking installed package versions to confirm if it is between 4.0.0 and 4.11.1.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade Zitadel to version 4.12.0 or later, where the vulnerability has been fixed by removing the /saml-post endpoint and redesigning the SAML IdP integration.

If upgrading is not immediately feasible, and if you do not require SAML IdP integration, you should block or restrict access to the /saml-post endpoint using a Web Application Firewall (WAF) or a reverse proxy.

Additionally, enabling Multi-Factor Authentication (MFA) or Passwordless authentication protects accounts from this attack vector.

Ensure password changes require the current password regardless of session state, as implemented in the fixed version.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart