CVE-2026-56667
Deferred Deferred - Pending Action

Stored XSS in ZITADEL Login via Unsafe Redirect URI

Vulnerability report for CVE-2026-56667, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. This issue is fixed in version 4.15.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 4.15.3 (exc)
zitadel zitadel 4.15.3
zitalel login_v2_oidc to 4.15.3 (exc)
zitalel saml to 4.15.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows stored Cross-Site Scripting (XSS) attacks via unsafe redirect URIs in the ZITADEL login system, potentially leading to unauthorized code execution in users' browsers.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and secure authentication mechanisms to prevent unauthorized access and data breaches.

Failure to address this vulnerability could result in exploitation that compromises user accounts and sensitive information, thereby violating data protection and security requirements mandated by these regulations.

Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the ZITADEL identity management platform, specifically in the Login V2 component handling OIDC and SAML authentication flows.

Prior to version 4.15.3, certain error paths in the login process returned a default redirect URI without validating if it was safe. This allowed administrators to store malicious URIs such as those starting with javascript: or data:, which could execute harmful scripts in a user's browser when they encountered a login error.

The root cause was the absence of the isSafeRedirectUri check in the FailedPrecondition error handling paths, enabling unsafe redirects that could lead to code execution in users' browsers.

The issue was fixed by adding validation checks to ensure only safe redirect URIs are used, falling back to a safe default redirect if an unsafe URI is detected.

Impact Analysis

This vulnerability can impact you by allowing attackers with administrative privileges to inject malicious redirect URIs that execute arbitrary JavaScript in users' browsers during login error scenarios.

Such execution can lead to Cross-Site Scripting (XSS) attacks, potentially resulting in unauthorized access, account compromise, or theft of sensitive information.

Because the attack requires high privileges and user interaction, the risk is significant in environments where administrators might be compromised or act maliciously.

Detection Guidance

This vulnerability involves unsafe redirect URIs in the ZITADEL Login V2 OIDC and SAML authentication flows that allow stored malicious URIs such as javascript: or data: schemes to be executed in users' browsers.

To detect this vulnerability on your system, you can check if your ZITADEL instance is running a version prior to 4.15.3, as these versions are affected.

Additionally, you can audit the stored default redirect URIs configured by organization or instance administrators to identify any suspicious URIs that use javascript: or data: schemes.

While no specific commands are provided in the resources, you might consider querying your configuration or database for redirect URIs matching patterns like 'javascript:' or 'data:' to detect potentially malicious entries.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade your ZITADEL installation to version 4.15.3 or later, where this vulnerability has been fixed.

The fix includes adding validation checks (isSafeRedirectUri) to ensure that unsafe redirect URIs are blocked and replaced with a safe fallback.

Until you can upgrade, review and remove any default redirect URIs configured by administrators that use unsafe schemes such as javascript: or data: to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart