Severity by source
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Requires admin write access to redirect settings (PR:H) and a victim reaching a specific error path (UI:R, AC:H); stored XSS crosses into the user's browser (S:C) with high C/I and no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. This issue is fixed in version 4.15.3.
AnalysisAI
Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an attacker holding organization-administrator or instance-administrator privileges in ZITADEL who can write the loginSettings.defaultRedirectUri value, and the payload only executes when a victim user's authentication reaches the Login V2 OIDC or SAML FailedPrecondition error path - a specific, non-default error condition rather than the normal login flow. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.3 (High) with vector AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N - network reachable but gated by high attack complexity, high privileges (an org or instance admin), and required user interaction, offset by a scope change and high confidentiality/integrity impact reflecting script execution in a victim's browser. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised organization administrator sets the login default redirect URI to a javascript: payload that exfiltrates session tokens. When a legitimate user's OIDC or SAML login hits the FailedPrecondition error path, the unsanitized URI is passed to router.push and the script runs in that user's browser, hijacking their session. … |
| Remediation | Vendor-released patch: upgrade to ZITADEL 4.15.3, which restores the isSafeRedirectUri check on the OIDC and SAML FailedPrecondition error paths (fix commit 038265925a3b05ac1df8aad461ab071983e9eb85, release https://github.com/zitadel/zitadel/releases/tag/v4.15.3, advisory https://github.com/zitadel/zitadel/security/advisories/GHSA-5wcj-9wj4-j65h). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit administrative accounts with loginSettings configuration privileges and review all stored defaultRedirectUri values for javascript: or data: URI schemes; remediate any suspicious entries. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Zitadel is open-source identity infrastructure software. Rated critical severity (CVSS 9.1), this vulnerability is remot
ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject p
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Ra
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the
Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely
ZITADEL users can upload their own avatar image and various image types are allowed. Rated high severity (CVSS 8.7), thi
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 toke
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the For
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SM
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42964