ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

説明

Summary

A vulnerability in Zitadel's login V2 interface was discovered, allowing for possible account takeover.

Impact

Zitadel allows organization administrators to change the default redirect URI for their organization. This setting enables them to redirect users to an arbitrary location after they log in.

Due to missing restrictions and improper handling, malicious javascrtipt code could be executed in Zitadel login UI (v2) using the users’ browser.

An unauthenticated remote attacker can exploit this Stored XSS vulnerability, reset the password of their victims, and take over their accounts.

It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.Stored XSS vulnerability.

Affected Versions

Systems running one of the following versions are affected:
- 4.x: 4.0.0 through 4.11.1 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. The login UI prevents execution of such code. Additionally, the page to change the password, now always requires the user's current password regardless of the state of the authenticated session.

4.x: Upgrade to >= 4.12.0

Workarounds

The recommended solution is to upgrade to a patched version.

Questions

If there are any questions or comments about this advisory, please send an email to [email protected]

Credits

ZITADEL extends thanks once again to Amit Laish from GE Vernova for finding and reporting the vulnerability.

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-03-04 22:53:42 UTC
更新
2026-03-09 15:46:35 UTC
GitHub レビュー済み
2026-03-04 22:53:42 UTC
NVD で公開
2026-03-07

EPSS Score

Score Percentile
0.01% 3.15%

CVSS Scores

Base score Version Severity Vector
7.7 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:H)
到達できても、タイミング・負荷・周辺設定など、揃わないと成功しない局面が多い。
必要な権限 (PR:H)
管理者・SYSTEM など、強い権限を握った状態からでないと実害に結びつきにくい。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:C)
脆弱箇所を足がかりに、別コンポーネントや別権限域まで影響が広がりうる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:H)
権限の奪取や広範なログ改竄など、システムの信頼根拠を揺るがす改ざんが現実的。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • amit-laish (analyst)
  • livio-a (other)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/zitadel/zitadel/v2 >= 4.0.0, < 4.12.0 4.12.0
go github.com/zitadel/zitadel >= 4.0.0, < 4.12.0 4.12.0

References

cvelogic Threat Intelligence