Skip to main content

Zitadel CVE-2026-29192

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-07 security-advisories@github.com GHSA-6rx5-m2rc-hmf7
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Mar 10, 2026 - 17:54 nvd
Patch available
CVE Published
Mar 07, 2026 - 15:15 nvd
HIGH 7.7

DescriptionGitHub Advisory

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.

AnalysisAI

Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Zitadel. ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 4.12.0.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2024-49753 CRITICAL POC
9.1 Oct 25

Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot

CVE-2023-49097 HIGH POC
8.8 Nov 30

ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2026-29191 CRITICAL
9.3 Mar 07

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p

CVE-2025-27507 CRITICAL
9.0 Mar 04

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2024-49757 MEDIUM POC
4.9 Oct 25

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2022-36051 HIGH
8.8 Aug 31

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the

CVE-2025-31123 HIGH
8.7 Mar 31

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2024-29891 HIGH
8.7 Mar 27

ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi

CVE-2026-29193 HIGH
8.2 Mar 07

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

CVE-2026-56668 HIGH
8.1 Jul 10

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke

CVE-2026-29067 HIGH
8.1 Mar 07

ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For

CVE-2024-32868 HIGH
8.1 Apr 26

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-29192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy