{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29192", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.714Z", "datePublished": "2026-03-07T15:09:53.454Z", "dateUpdated": "2026-03-09T20:44:25.436Z"}, "containers": {"cna": {"title": "ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 4.0.0, < 4.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:09:53.454Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0."}], "source": {"advisory": "GHSA-6rx5-m2rc-hmf7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29192", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:39:42.474571Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:44:25.436Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29192", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:39:42.474571Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:41:53.156Z"}}], "cna": {"title": "ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover", "source": {"advisory": "GHSA-6rx5-m2rc-hmf7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.12.0"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:09:53.454Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29192", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:44:25.436Z", "dateReserved": "2026-03-04T14:44:00.714Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:09:53.454Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "45902C32-E4BA-459E-80C0-19CBDA6CD5F4", "versionEndExcluding": "4.12.0", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0."}, {"lang": "es", "value": "ZITADEL es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. Desde la versi\u00f3n 4.0.0 hasta la 4.11.1, se descubri\u00f3 una vulnerabilidad en la interfaz de inicio de sesi\u00f3n V2 de Zitadel que permit\u00eda una posible toma de control de cuenta a trav\u00e9s de la redirecci\u00f3n de URI predeterminada. Este problema ha sido parcheado en la versi\u00f3n 4.12.0."}], "id": "CVE-2026-29192", "lastModified": "2026-03-10T17:54:28.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T15:15:55.710", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.12.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zitadel", "source": "cna", "vendor": "zitadel"}, "product": "zitadel", "vendor": "zitadel"}], "analysis": {"en": {"generated_at": "2026-04-17T12:12:17.726589+00:00", "value": {"mitigation_remediation": ["Upgrade Zitadel to version 4.12.0 or later to obtain the vendor\u2011issued fix.", "Prior to upgrading, restrict redirect URIs to a list of approved domains or disable the default redirect feature to prevent injection of malicious URIs.", "Ensure all existing redirect fields are reviewed and sanitized by server\u2011side validation to block non\u2011trusted scripts."], "summary": {"action": "Immediate Patch", "impact": "Account takeover via stored XSS in the redirect field"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Zitadel identity management platform versions 4.0.0 to 4.11.1. Zitadel 4.12.0 and later incorporate the fix and therefore are not affected.", "description_and_impact": "Zitadel versions 4.0.0 through 4.11.1 contain a stored cross\u2011site scripting flaw in the login V2 interface that can be triggered through a malicious default URI redirect. The flaw allows an attacker to inject script that is stored and subsequently executed when the login page is rendered, potentially stealing session cookies or performing actions on behalf of the victim, resulting in account takeover.", "risk_and_exploitability": "The flaw has a CVSS score of 7.7, indicating high severity, but the EPSS score is below 1\u202f%, meaning that exploitation is currently considered unlikely. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Attackers would need to embed a malicious redirect URI into the login flow; once the login page loads with this stored value, user browsers will execute the injected script. The attack path is user\u2011visible and does not require elevated privileges, relying solely on the victim interacting with the compromised login page."}}}}, "created": "2026-03-09T10:05:21.093813+00:00", "updated": "2026-04-17T12:15:18.171772+00:00", "vendors": ["zitadel", "zitadel$PRODUCT$zitadel"]}