Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0.
Published: 2026-03-07
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via XSS
Action: Immediate Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the login V2 interface of the Zitadel identity platform. An attacker who can inject a malicious script into the /saml‑post endpoint can force the victim’s browser to execute that script during authentication, enabling unauthorized access to the victim’s account. The vulnerability is identified as CWE‑79 and can potentially allow attackers to steal session cookies or otherwise hijack user credentials. The impact is a complete compromise of the affected user’s account, exposing all resources that the account can access.

Affected Systems

The affected product is Zitadel, a free and open‑source identity management platform. Versions from 4.0.0 through 4.11.1 are vulnerable. The issue was addressed in version 4.12.0 and later.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, while the EPSS score of less than 1% suggests that, as of now, the risk of active exploitation is low. The vulnerability is not yet listed in the CISA KEV catalog. An attacker would need to deliver a crafted request to the /saml‑post endpoint, likely involving social engineering or a malicious link, to trigger the XSS. Once the script runs in the victim’s browser, the attacker can hijack the session and take over the account. The combination of high potential impact and low current exploitation probability still warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 10:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zitadel to version 4.12.0 or later
  • If possible, restrict or disable the /saml‑post endpoint to reduce attack surface
  • Deploy a Content Security Policy that blocks inline scripts to mitigate any residual XSS vectors

Generated by OpenCVE AI on April 16, 2026 at 10:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pr34-2v5x-6qjq ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
History

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Sat, 07 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0.
Title ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:44:25.583Z

Reserved: 2026-03-04T14:44:00.714Z

Link: CVE-2026-29191

cve-icon Vulnrichment

Updated: 2026-03-09T20:41:55.217Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T15:15:55.557

Modified: 2026-03-10T17:55:39.263

Link: CVE-2026-29191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses