CVE-2026-29192
Received Received - Intake
Open Redirect in ZITADEL Login V2 Enables Account Takeover

Publication date: 2026-03-07

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29192
EUVD
EUVD-2026-10149
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zitadel zitadel From 4.0.0 (inc) to 4.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29192 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in Zitadel versions 4.0.0 through 4.11.1, specifically in the login V2 interface.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from the default redirect URI setting that organization administrators can configure, which allows redirecting users to arbitrary locations after login.'}, {'type': 'paragraph', 'content': "Due to insufficient restrictions and improper input handling, an attacker can inject malicious JavaScript code into the login UI that executes in the victim's browser."}, {'type': 'paragraph', 'content': "An unauthenticated remote attacker can exploit this to perform a stored XSS attack, enabling them to reset victims' passwords and take over their accounts."}, {'type': 'paragraph', 'content': 'Accounts protected by Multi-Factor Authentication (MFA) or Passwordless authentication are not vulnerable to this attack vector.'}, {'type': 'paragraph', 'content': "The vulnerability was fixed in Zitadel version 4.12.0 by preventing execution of injected code in the login UI and enforcing that the password change page always requires the user's current password."}] [1]

Impact Analysis

This vulnerability can lead to an account takeover by allowing an attacker to inject malicious code that resets user passwords without their consent.

An attacker exploiting this flaw can gain unauthorized access to user accounts, compromising confidentiality and integrity of user data.

However, accounts secured with Multi-Factor Authentication (MFA) or Passwordless authentication are protected against this attack.

The vulnerability does not impact system availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Zitadel to version 4.12.0 or later.

Additionally, accounts protected by Multi-Factor Authentication (MFA) or Passwordless authentication are not vulnerable to this attack vector, so enabling these protections can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart