ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

CVE-2026-29192 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

A vulnerability in Zitadel's login V2 interface was discovered, allowing for possible account takeover.

Impact

Zitadel allows organization administrators to change the default redirect URI for their organization. This setting enables them to redirect users to an arbitrary location after they log in.

Due to missing restrictions and improper handling, malicious javascrtipt code could be executed in Zitadel login UI (v2) using the users’ browser.

An unauthenticated remote attacker can exploit this Stored XSS vulnerability, reset the password of their victims, and take over their accounts.

It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.Stored XSS vulnerability.

Affected Versions

Systems running one of the following versions are affected:
- 4.x: 4.0.0 through 4.11.1 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. The login UI prevents execution of such code. Additionally, the page to change the password, now always requires the user's current password regardless of the state of the authenticated session.

4.x: Upgrade to >= 4.12.0

Workarounds

The recommended solution is to upgrade to a patched version.

Questions

If there are any questions or comments about this advisory, please send an email to [email protected]

Credits

ZITADEL extends thanks once again to Amit Laish from GE Vernova for finding and reporting the vulnerability.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-04 22:53:42 UTC
Updated
2026-03-09 15:46:35 UTC
GitHub reviewed
2026-03-04 22:53:42 UTC
NVD published
2026-03-07

EPSS Score

Score Percentile
0.01% 3.15%

CVSS Scores

Base score Version Severity Vector
7.7 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-6rx5-m2rc-hmf7 ↗
CVE CVE-2026-29192 ↗

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • amit-laish (analyst)
  • livio-a (other)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/zitadel/zitadel/v2 >= 4.0.0, < 4.12.0 4.12.0
go github.com/zitadel/zitadel >= 4.0.0, < 4.12.0 4.12.0

References

cvelogic Threat Intelligence