Critical XSS Vulnerability in ZITADEL Exposes Enterprises to Account Takeovers
A severe Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-29191 (Critical severity), has been identified in ZITADEL, an open-source identity and access management (IAM) platform. The flaw, discovered by security researcher Amit Laish of GE Vernova, resides in the platform’s /saml-post endpoint within the login V2 interface.
The vulnerability affects ZITADEL versions 4.0.0 through 4.11.1 and exists in the platform’s default configuration, meaning no additional identity integrations are required for exploitation. Attackers can craft malicious links that, when clicked, execute arbitrary JavaScript in a victim’s browser, enabling silent password resets and full account takeovers.
The flaw stems from insecure handling of the url and id parameters in the /saml-post endpoint, which processes SAML Identity Provider requests. The endpoint reflects user-supplied input without proper encoding, allowing attackers to inject malicious scripts. Notably, the vulnerability remains exploitable even if SAML is not configured.
ZITADEL’s maintainers have released version 4.12.0, which removes the vulnerable endpoint and reworks the SAML integration architecture. Additional security measures include requiring the user’s current password for password changes, regardless of session state.
Organizations unable to upgrade immediately can mitigate risk by enforcing Multi-Factor Authentication (MFA) or Passwordless login, deploying a Web Application Firewall (WAF), or blocking traffic to the vulnerable endpoint. Accounts protected by MFA or Passwordless authentication are inherently shielded from this attack vector.
Source: https://gbhackers.com/1-click-zitadel-vulnerability/
ZITADEL cybersecurity rating report: https://www.rankiteo.com/company/zitadel
"id": "ZIT1773052021",
"linkid": "zitadel",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprises using ZITADEL '
'versions 4.0.0 through 4.11.1',
'industry': 'Identity and Access Management (IAM)',
'name': 'ZITADEL',
'type': 'Open-source IAM platform'}],
'attack_vector': 'Malicious links via /saml-post endpoint',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, authentication data)',
'type_of_data_compromised': 'Account credentials, session '
'tokens'},
'description': 'A severe Cross-Site Scripting (XSS) vulnerability, tracked as '
'CVE-2026-29191 (Critical severity), has been identified in '
'ZITADEL, an open-source identity and access management (IAM) '
'platform. The flaw resides in the platform’s /saml-post '
'endpoint within the login V2 interface. Attackers can craft '
'malicious links that execute arbitrary JavaScript in a '
'victim’s browser, enabling silent password resets and full '
'account takeovers. The vulnerability affects ZITADEL versions '
'4.0.0 through 4.11.1 and exists in the platform’s default '
'configuration.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'security vulnerability',
'data_compromised': 'Account credentials, session tokens',
'identity_theft_risk': 'High',
'operational_impact': 'Account takeovers, unauthorized access to '
'identity management systems',
'systems_affected': 'ZITADEL IAM platform (versions 4.0.0 through '
'4.11.1)'},
'post_incident_analysis': {'corrective_actions': 'Removed vulnerable '
'endpoint, reworked SAML '
'integration, enforced '
'current password '
'requirement for changes',
'root_causes': 'Insecure handling of url and id '
'parameters in /saml-post endpoint, '
'lack of proper input encoding'},
'recommendations': 'Upgrade to ZITADEL version 4.12.0, enforce '
'MFA/Passwordless authentication, deploy a Web Application '
'Firewall (WAF), monitor for suspicious activity',
'references': [{'source': 'Security researcher Amit Laish of GE Vernova'}],
'response': {'adaptive_behavioral_waf': 'Recommended',
'containment_measures': 'Upgrade to ZITADEL version 4.12.0, '
'enforce MFA/Passwordless login, deploy '
'WAF, block traffic to vulnerable '
'endpoint',
'remediation_measures': 'Removed vulnerable /saml-post endpoint, '
'reworked SAML integration architecture, '
'required current password for password '
'changes'},
'title': 'Critical XSS Vulnerability in ZITADEL Exposes Enterprises to '
'Account Takeovers',
'type': 'Cross-Site Scripting (XSS)',
'vulnerability_exploited': 'CVE-2026-29191'}