CVE-2026-29192

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.11.1

Description ZITADEL, an open source identity management platform, has a flaw in its login V2 interface that could allow for account takeover via Default URI Redirect. An unauthenticated remote attacker can exploit a Stored XSS vulnerability to reset passwords and take over accounts. This is due to missing restrictions and improper handling of the default redirect URI, allowing malicious JavaScript code to be executed in the Zitadel login UI. The issue is mitigated for accounts with Multi-Factor Authentication (MFA) or Passwordless authentication enabled. The vulnerable component is the login V2 interface.

Recommendations Upgrade to version 4.12.0 or later.