The open-source identity and access management (IAM) platform ZITADEL, which is frequently utilized by businesses for safe authentication procedures, has a serious flaw This article explores zitadel handles http. . With just one click, unauthenticated remote attackers can run arbitrary JavaScript code inside a user's browser thanks to a vulnerability known as CVE-2026-29191.

This could result in password resets and possibly complete system compromise. Details of the Vulnerability found by a security investigator According to Amit Laish of GE Vernova, the bug is located in the /saml-post endpoint of the login V2 interface and affects ZITADEL versions 4.0.0 through 4.11.1. The default configuration of this endpoint, which is intended to manage SAML authentication flows, unintentionally introduces a Cross-Site Scripting (XSS) vulnerability. Unfortunately, even if SAML integration is disabled, the vulnerability can still be exploited.

The problem stems from the way ZITADEL handles the two HTTP GET parameters id and url when communicating with identity providers. Attackers can embed a javascript: scheme because the server insecurely reroutes users to a destination specified in the url parameter without verifying it. The browser instantly runs the injected script within the active ZITADEL session when a victim clicks on such a crafted link.

The injected code can carry out any action on behalf of a logged-in user because it operates with the same privileges. One particularly serious situation is when password reset requests are silently initiated, thereby preventing authorized users from accessing their accounts.

The attack presents a 1-click remote compromise vector since it only needs one click on a malicious link that is sent via chat, email, or embedded in a phishing page. Furthermore, the /saml-post endpoint does not properly encode HTML in its response, reflecting user input. The exploitable surface area for stored or reflected XSS attacks is increased by this output reflection, which generates a secondary injection point.

Version 4.12.0, which completely fixes this problem by eliminating the susceptible /saml-post endpoint and reorganizing the SAML architecture, was quickly released by the ZITADEL team. Additionally, users must re-enter their current credentials before updating them due to the update's stricter password-change validation. Security teams should update to version 4.12.0 or higher right away.

If administrators are unable to immediately patch an environment, they should: Use a Web Application Firewall (WAF) or reverse proxy to block or filter traffic to /saml-post; to reduce the risk of account takeover, implement passwordless login methods or Multi-Factor Authentication (MFA).