Skip to main content

ZITADEL CVE-2026-56667

| EUVDEUVD-2026-42964 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 GitHub_M
7.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.3 HIGH
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
7.3 HIGH

Requires admin write access to redirect settings (PR:H) and a victim reaching a specific error path (UI:R, AC:H); stored XSS crosses into the user's browser (S:C) with high C/I and no availability impact.

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:23 vuln.today

DescriptionCVE.org

ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. This issue is fixed in version 4.15.3.

AnalysisAI

Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Admin sets malicious defaultRedirectUri (javascript:/data:)
Delivery
Victim login triggers OIDC/SAML FailedPrecondition error
Exploit
Unsafe URI passed to router.push without isSafeRedirectUri
Execution
Script executes in victim browser
Impact
Session/token theft or account compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker holding organization-administrator or instance-administrator privileges in ZITADEL who can write the loginSettings.defaultRedirectUri value, and the payload only executes when a victim user's authentication reaches the Login V2 OIDC or SAML FailedPrecondition error path - a specific, non-default error condition rather than the normal login flow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.3 (High) with vector AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N - network reachable but gated by high attack complexity, high privileges (an org or instance admin), and required user interaction, offset by a scope change and high confidentiality/integrity impact reflecting script execution in a victim's browser. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised organization administrator sets the login default redirect URI to a javascript: payload that exfiltrates session tokens. When a legitimate user's OIDC or SAML login hits the FailedPrecondition error path, the unsanitized URI is passed to router.push and the script runs in that user's browser, hijacking their session. …
Remediation Vendor-released patch: upgrade to ZITADEL 4.15.3, which restores the isSafeRedirectUri check on the OIDC and SAML FailedPrecondition error paths (fix commit 038265925a3b05ac1df8aad461ab071983e9eb85, release https://github.com/zitadel/zitadel/releases/tag/v4.15.3, advisory https://github.com/zitadel/zitadel/security/advisories/GHSA-5wcj-9wj4-j65h). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit administrative accounts with loginSettings configuration privileges and review all stored defaultRedirectUri values for javascript: or data: URI schemes; remediate any suspicious entries. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-49753 CRITICAL POC
9.1 Oct 25

Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot

CVE-2023-49097 HIGH POC
8.8 Nov 30

ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2026-29191 CRITICAL
9.3 Mar 07

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p

CVE-2025-27507 CRITICAL
9.0 Mar 04

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2024-49757 MEDIUM POC
4.9 Oct 25

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra

CVE-2022-36051 HIGH
8.8 Aug 31

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the

CVE-2025-31123 HIGH
8.7 Mar 31

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2024-29891 HIGH
8.7 Mar 27

ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi

CVE-2026-29193 HIGH
8.2 Mar 07

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

CVE-2026-56668 HIGH
8.1 Jul 10

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke

CVE-2026-29067 HIGH
8.1 Mar 07

ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For

CVE-2024-32868 HIGH
8.1 Apr 26

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM

Share

CVE-2026-56667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy