Platform
go
Component
github.com/zitadel/zitadel
Fixed in
4.0.1
4.12.0
CVE-2026-29191 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in Zitadel, a Go-based identity provider. This flaw allows attackers to potentially achieve a 1-Click Account Takeover through manipulation of the /saml-post endpoint. The vulnerability impacts versions prior to 4.12.0, and a patch has been released to address the issue.
The primary impact of CVE-2026-29191 is the potential for unauthorized account takeover. An attacker exploiting this XSS vulnerability can inject malicious scripts into the /saml-post endpoint, which, when accessed by a legitimate user, could execute arbitrary code in the user's browser context. This could lead to the attacker gaining full control of the user's account, including access to sensitive data, the ability to perform actions on their behalf, and potentially escalate privileges within the Zitadel instance. The '1-Click Account Takeover' designation highlights the ease with which this vulnerability can be exploited, making it a high-priority concern.
CVE-2026-29191 was publicly disclosed on 2026-03-10. While no public proof-of-concept (POC) code has been released at the time of writing, the ease of exploitation associated with 1-Click Account Takeover vulnerabilities suggests a high probability of exploitation. The CVSS score of 9.3 (CRITICAL) further reinforces this concern. It is advisable to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Zitadel instances.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-29191 is to immediately upgrade Zitadel to version 4.12.0 or later. This version includes a fix that addresses the underlying XSS vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the /saml-post endpoint to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to access the /saml-post endpoint with a crafted payload designed to trigger the XSS vulnerability – it should no longer execute.
Update ZITADEL to version 4.12.0 or higher. This version contains the fix for the XSS vulnerability in the /saml-post endpoint. The update will mitigate the risk of potential account takeover.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29191 is a critical Cross-Site Scripting (XSS) vulnerability in Zitadel's /saml-post endpoint, allowing potential account takeover.
Yes, if you are using Zitadel versions prior to 4.12.0, you are vulnerable to this XSS attack.
Upgrade Zitadel to version 4.12.0 or later to patch the vulnerability. Consider input validation as a temporary workaround.
While no public exploits are currently known, the ease of exploitation suggests a high probability of future exploitation.
Refer to the Zitadel security advisories on their official website or GitHub repository for the latest information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.