CVE-2026-29191
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks through ZITADEL's SAML login endpoint, potentially enabling attackers to steal authentication tokens and take over user accounts. It affects all ZITADEL deployments running versions 4.0.0 through 4.11.1. Organizations using ZITADEL for identity management are at risk.
💻 Affected Systems
- ZITADEL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, including administrators, leading to full compromise of the identity management system and downstream applications that rely on it for authentication.
Likely Case
Attackers steal session tokens or credentials from users, gaining unauthorized access to their accounts and potentially sensitive systems that use ZITADEL for authentication.
If Mitigated
Limited impact with proper web application firewalls and content security policies that block XSS payloads, though the vulnerability remains present.
🎯 Exploit Status
Exploitation requires the attacker to trick a user into visiting a malicious link or page that triggers the XSS payload through the SAML endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.12.0
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq
Restart Required: Yes
Instructions:
1. Backup your ZITADEL configuration and data. 2. Upgrade to ZITADEL version 4.12.0 or later. 3. Restart the ZITADEL service. 4. Verify the upgrade was successful by checking the version.
🔧 Temporary Workarounds
Disable SAML authentication
allTemporarily disable SAML authentication in ZITADEL configuration to prevent exploitation through the vulnerable endpoint.
Edit ZITADEL configuration file to remove or comment out SAML provider settings
Implement WAF rules
allConfigure web application firewall rules to block XSS payloads targeting the /saml-post endpoint.
Add WAF rule: Block requests containing script tags or JavaScript in POST parameters to /saml-post
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent execution of injected scripts
- Monitor and audit access to the /saml-post endpoint for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check ZITADEL version: if between 4.0.0 and 4.11.1 inclusive, and SAML is enabled, the system is vulnerable.Check Version:
zitadel versionVerify Fix Applied:
Confirm ZITADEL version is 4.12.0 or higher and test the SAML login flow for proper sanitization of inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /saml-post endpoint with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful logins from unexpected locations
Network Indicators:
- HTTP requests containing XSS payloads targeting /saml-post
- Traffic patterns suggesting credential harvesting
SIEM Query:
source="zitadel" AND (url="/saml-post" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:"))