CVE-2026-29191

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.11.1

Description ZITADEL, an open source identity management platform, contains a cross-site scripting (XSS) issue in its login V2 interface, specifically within the /saml-post endpoint. This flaw allows for potential account takeover by enabling the execution of malicious JavaScript code in a victim’s browser. The issue stems from insecure redirection using the url parameter and reflection of user-supplied input without proper HTML encoding. An unauthenticated attacker can exploit this by crafting a malicious link, potentially resetting passwords and gaining control of accounts. The vulnerability does not require SAML integration to be exploited and can affect Zitadel in its default configuration. The /saml-post endpoint accepts the url and id parameters.

Recommendations Upgrade to ZITADEL version 4.12.0 or later.