Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.
Published: 2026-03-07
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via stored XSS in the redirect field
Action: Immediate Patch
AI Analysis

Impact

Zitadel versions 4.0.0 through 4.11.1 contain a stored cross‑site scripting flaw in the login V2 interface that can be triggered through a malicious default URI redirect. The flaw allows an attacker to inject script that is stored and subsequently executed when the login page is rendered, potentially stealing session cookies or performing actions on behalf of the victim, resulting in account takeover.

Affected Systems

The vulnerability affects Zitadel identity management platform versions 4.0.0 to 4.11.1. Zitadel 4.12.0 and later incorporate the fix and therefore are not affected.

Risk and Exploitability

The flaw has a CVSS score of 7.7, indicating high severity, but the EPSS score is below 1 %, meaning that exploitation is currently considered unlikely. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Attackers would need to embed a malicious redirect URI into the login flow; once the login page loads with this stored value, user browsers will execute the injected script. The attack path is user‑visible and does not require elevated privileges, relying solely on the victim interacting with the compromised login page.

Generated by OpenCVE AI on April 17, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zitadel to version 4.12.0 or later to obtain the vendor‑issued fix.
  • Prior to upgrading, restrict redirect URIs to a list of approved domains or disable the default redirect feature to prevent injection of malicious URIs.
  • Ensure all existing redirect fields are reviewed and sanitized by server‑side validation to block non‑trusted scripts.

Generated by OpenCVE AI on April 17, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6rx5-m2rc-hmf7 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
History

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Sat, 07 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.
Title ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:44:25.436Z

Reserved: 2026-03-04T14:44:00.714Z

Link: CVE-2026-29192

cve-icon Vulnrichment

Updated: 2026-03-09T20:41:53.156Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T15:15:55.710

Modified: 2026-03-10T17:54:28.727

Link: CVE-2026-29192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses