CVE-2026-29191
Published: 07 March 2026
Summary
CVE-2026-29191 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Zitadel Zitadel. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters and encodes outputs from the /saml-post endpoint to prevent execution of injected scripts leading to XSS-based account takeover.
Validates inputs to the login V2 /saml-post endpoint to reject malicious payloads that could enable XSS exploitation.
Mandates timely patching of identified flaws, such as upgrading ZITADEL to version 4.12.0 to remediate this XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing ZITADEL /saml-post endpoint directly enables T1190 (exploiting public-facing web apps for initial access) and facilitates T1185 (browser session hijacking via injected scripts to steal tokens/credentials for account takeover).
NVD Description
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version…
more
4.12.0.
Deeper analysisAI
CVE-2026-29191 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the login V2 interface of ZITADEL, an open-source identity management platform. The issue affects versions 4.0.0 through 4.11.1 and resides in the /saml-post endpoint, enabling potential account takeover. It carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low complexity, and high potential impact on confidentiality and integrity.
Attackers require no privileges and can exploit the vulnerability remotely by tricking authenticated users into interacting with malicious content, such as through a crafted SAML POST request delivered via phishing or similar vectors. Successful exploitation expands the scope of impact, allowing attackers to steal session tokens or credentials, resulting in full account takeover and unauthorized access to the victim's identity management resources.
The vulnerability has been patched in ZITADEL version 4.12.0. Administrators are advised to upgrade immediately to mitigate the risk. Additional details are available in the GitHub Security Advisory at https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq.
Details
- CWE(s)