Plattform
go
Komponente
github.com/zitadel/zitadel
Behoben in
4.0.1
4.12.0
CVE-2026-29191 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in Zitadel, a Go-based identity provider. This flaw allows attackers to potentially achieve a 1-Click Account Takeover through manipulation of the /saml-post endpoint. The vulnerability impacts versions prior to 4.12.0, and a patch has been released to address the issue.
The primary impact of CVE-2026-29191 is the potential for unauthorized account takeover. An attacker exploiting this XSS vulnerability can inject malicious scripts into the /saml-post endpoint, which, when accessed by a legitimate user, could execute arbitrary code in the user's browser context. This could lead to the attacker gaining full control of the user's account, including access to sensitive data, the ability to perform actions on their behalf, and potentially escalate privileges within the Zitadel instance. The '1-Click Account Takeover' designation highlights the ease with which this vulnerability can be exploited, making it a high-priority concern.
CVE-2026-29191 was publicly disclosed on 2026-03-10. While no public proof-of-concept (POC) code has been released at the time of writing, the ease of exploitation associated with 1-Click Account Takeover vulnerabilities suggests a high probability of exploitation. The CVSS score of 9.3 (CRITICAL) further reinforces this concern. It is advisable to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Zitadel instances.
Organizations utilizing Zitadel as their identity provider, particularly those relying on SAML-based authentication, are at risk. This includes businesses of all sizes, especially those with sensitive data or critical infrastructure managed through Zitadel. Shared hosting environments where multiple users share a single Zitadel instance are also particularly vulnerable.
• linux / server:
journalctl -u zitadel -f | grep -i 'saml-post' # Monitor for suspicious activity related to the SAML endpoint• generic web:
curl -I https://your-zitadel-instance/saml-post # Check response headers for unusual content or XSS indicatorsdisclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-29191 is to immediately upgrade Zitadel to version 4.12.0 or later. This version includes a fix that addresses the underlying XSS vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the /saml-post endpoint to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to access the /saml-post endpoint with a crafted payload designed to trigger the XSS vulnerability – it should no longer execute.
Actualizar ZITADEL a la versión 4.12.0 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS en el endpoint /saml-post. La actualización mitigará el riesgo de una posible toma de control de cuentas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-29191 is a critical Cross-Site Scripting (XSS) vulnerability in Zitadel's /saml-post endpoint, allowing potential account takeover.
Yes, if you are using Zitadel versions prior to 4.12.0, you are vulnerable to this XSS attack.
Upgrade Zitadel to version 4.12.0 or later to patch the vulnerability. Consider input validation as a temporary workaround.
While no public exploits are currently known, the ease of exploitation suggests a high probability of future exploitation.
Refer to the Zitadel security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.