A critical Cross-Site Scripting (XSS) vulnerability has been discovered in ZITADEL, a popular open-source identity and access management platform.
Tracked as CVE-2026-29191 with a Critical severity rating, this flaw resides in the platform’s login V2 interface, specifically within the /saml-post endpoint.
It allows unauthenticated remote attackers to execute malicious JavaScript directly within a user’s browser.
With a single click on a crafted link, attackers can silently reset user passwords and achieve complete account takeover.
Security researcher Amit Laish from GE Vernova discovered and reported the vulnerability. The flaw affects enterprise systems running ZITADEL versions 4.0.0 through 4.11.1.
Crucially, the vulnerability exists in the platform’s default, out-of-the-box configuration. This means administrators do not need to have specific identity integrations enabled to be at risk.
The platform’s maintainers have now addressed this issue in the fully patched version 4.12.0.
Attack Mechanism and Impact
The vulnerability stems from how ZITADEL handles its /saml-post HTTP endpoint, which traditionally processes requests to SAML Identity Providers.
This endpoint accepts two specific HTTP GET parameters: url and id. When these parameters are provided, the user’s browser automatically submits an HTTP POST request to the targeted URL.
The primary security failure happens because the endpoint insecurely redirects users based on the user-supplied url parameter.
A malicious actor can easily craft a deceptive link using a javascript: scheme. If a victim clicks this URL, arbitrary JavaScript executes immediately in their active browser session.
Furthermore, the endpoint reflects user-supplied input directly in the server response without proper HTML encoding, creating another direct path for malicious script injection.
By exploiting these XSS vulnerabilities, threat actors can effectively hijack the victim’s session.
The injected malicious scripts can silently trigger a password reset request on behalf of the user, locking the legitimate user out and granting the attacker full access.
Although designed specifically for SAML integration, the vulnerability remains active even if SAML is not configured.
The ZITADEL development team swiftly addressed this critical flaw by releasing a comprehensive software patch.
Security teams must immediately update their environments to version 4.12.0 or higher. As an added access control measure, organizations should enforce Multi-Factor Authentication (MFA) or Passwordless login.
The 4.12.0 release completely removes the vulnerable /saml-post endpoint by entirely reworking the SAML integration architecture.
The platform’s security has also been hardened so the password change interface now strictly requires the user’s current password, regardless of their authenticated session state.
If an immediate upgrade is not feasible and SAML integration is not required, administrators should deploy a Web Application Firewall (WAF) or reverse-proxy rules to block external traffic to the vulnerable endpoint.
Finally, accounts actively protected by MFA or Passwordless authentication natively mitigate this specific password-reset attack vector.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
