Critical XSS Vulnerability in ZITADEL Exposes Enterprises to Account Takeovers A severe Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-29191 (Critical severity), has been identified in ZITADEL, an open-source identity and access management (IAM) platform. The flaw, discovered by security researcher Amit Laish of GE Vernova, resides in the platform’s /saml-post endpoint within the login V2 interface. The vulnerability affects ZITADEL versions 4.0.0 through 4.11.1 and exists in the platform’s default configuration, meaning no additional identity integrations are required for exploitation. Attackers can craft malicious links that, when clicked, execute arbitrary JavaScript in a victim’s browser, enabling silent password resets and full account takeovers. The flaw stems from insecure handling of the url and id parameters in the /saml-post endpoint, which processes SAML Identity Provider requests. The endpoint reflects user-supplied input without proper encoding, allowing attackers to inject malicious scripts. Notably, the vulnerability remains exploitable even if SAML is not configured. ZITADEL’s maintainers have released version 4.12.0, which removes the vulnerable endpoint and reworks the SAML integration architecture. Additional security measures include requiring the user’s current password for password changes, regardless of session state. Organizations unable to upgrade immediately can mitigate risk by enforcing Multi-Factor Authentication (MFA) or Passwordless login, deploying a Web Application Firewall (WAF), or blocking traffic to the vulnerable endpoint. Accounts protected by MFA or Passwordless authentication are inherently shielded from this attack vector.

ZITADEL faced a critical Insecure Direct Object Reference (IDOR) vulnerability (CVE-2025-27507), threatening organizations through account takeover and configuration tampering risks. Authenticated users with low privilege were able to manipulate LDAP authentication settings, resulting in potential full account compromise and backend directory infrastructure exposure. Attackers could exploit vulnerable endpoints to reroute LDAP authentication, extract service credentials, deploy phishing content, and disable MFA controls. The exploitation was hard to detect due to minimal forensic traces, posing significant security challenges. Prompt patching and auditing were required to mitigate risks.