CRITICALCVE-2026-29191Published Modified CNA GitHub_M
CVE-2026-29191: ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint
ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
Affected packages
- zitadel / zitadel>= 4.0.0, < 4.12.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N