{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29191", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.714Z", "datePublished": "2026-03-07T15:07:02.706Z", "dateUpdated": "2026-03-09T20:44:25.583Z"}, "containers": {"cna": {"title": "ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 4.0.0, < 4.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:09:12.984Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0."}], "source": {"advisory": "GHSA-pr34-2v5x-6qjq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:39:52.757099Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:44:25.583Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:39:52.757099Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:41:55.217Z"}}], "cna": {"title": "ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint", "source": {"advisory": "GHSA-pr34-2v5x-6qjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.12.0"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:09:12.984Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29191", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:44:25.583Z", "dateReserved": "2026-03-04T14:44:00.714Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:07:02.706Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "45902C32-E4BA-459E-80C0-19CBDA6CD5F4", "versionEndExcluding": "4.12.0", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Desde la versi\u00f3n 4.0.0 hasta la 4.11.1, fue descubierta una vulnerabilidad en la interfaz de inicio de sesi\u00f3n V2 de Zitadel que permit\u00eda una posible toma de control de cuenta mediante XSS en el endpoint /saml-post. Este problema ha sido parcheado en la versi\u00f3n 4.12.0."}], "id": "CVE-2026-29191", "lastModified": "2026-03-10T17:55:39.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T15:15:55.557", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.12.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zitadel", "source": "cna", "vendor": "zitadel"}, "product": "zitadel", "vendor": "zitadel"}], "analysis": {"en": {"generated_at": "2026-04-16T10:55:54.249690+00:00", "value": {"mitigation_remediation": ["Upgrade Zitadel to version 4.12.0 or later", "If possible, restrict or disable the /saml\u2011post endpoint to reduce attack surface", "Deploy a Content Security Policy that blocks inline scripts to mitigate any residual XSS vectors"], "summary": {"action": "Immediate Patch", "impact": "Account Takeover via XSS"}, "threat_synthesis": {"affected_systems": "The affected product is Zitadel, a free and open\u2011source identity management platform. Versions from 4.0.0 through 4.11.1 are vulnerable. The issue was addressed in version 4.12.0 and later.", "description_and_impact": "A cross\u2011site scripting flaw exists in the login V2 interface of the Zitadel identity platform. An attacker who can inject a malicious script into the /saml\u2011post endpoint can force the victim\u2019s browser to execute that script during authentication, enabling unauthorized access to the victim\u2019s account. The vulnerability is identified as CWE\u201179 and can potentially allow attackers to steal session cookies or otherwise hijack user credentials. The impact is a complete compromise of the affected user\u2019s account, exposing all resources that the account can access.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity, while the EPSS score of less than 1% suggests that, as of now, the risk of active exploitation is low. The vulnerability is not yet listed in the CISA KEV catalog. An attacker would need to deliver a crafted request to the /saml\u2011post endpoint, likely involving social engineering or a malicious link, to trigger the XSS. Once the script runs in the victim\u2019s browser, the attacker can hijack the session and take over the account. The combination of high potential impact and low current exploitation probability still warrants prompt remediation."}}}}, "created": "2026-03-09T10:05:21.960329+00:00", "updated": "2026-04-16T11:00:10.652663+00:00", "vendors": ["zitadel", "zitadel$PRODUCT$zitadel"]}