CVE-2026-29191 Overview
CVE-2026-29191 is a Cross-Site Scripting (XSS) vulnerability in ZITADEL, an open source identity management platform. The vulnerability exists in Zitadel's login V2 interface, specifically in the /saml-post endpoint, affecting versions 4.0.0 through 4.11.1. This flaw can be exploited to achieve account takeover, making it a severe security risk for organizations relying on ZITADEL for identity and access management.
Critical Impact
This XSS vulnerability in the SAML authentication endpoint can lead to complete account takeover, allowing attackers to hijack user sessions, steal credentials, and impersonate legitimate users within the identity management system.
Affected Products
- ZITADEL versions 4.0.0 through 4.11.1
- ZITADEL login V2 interface
- ZITADEL SAML authentication endpoints
Discovery Timeline
- 2026-03-07 - CVE-2026-29191 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29191
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw resides in the /saml-post endpoint within Zitadel's login V2 interface. When processing SAML authentication responses, the endpoint fails to properly sanitize user-controlled input before rendering it in the browser context.
The network-accessible nature of this vulnerability means attackers can craft malicious SAML requests that, when processed by the vulnerable endpoint, execute arbitrary JavaScript in the context of a victim's authenticated session. Since ZITADEL serves as an identity provider, successful exploitation grants attackers access to authentication tokens and session credentials, enabling full account takeover.
The vulnerability requires user interaction—a victim must be tricked into clicking a malicious link or visiting a compromised page that triggers the SAML flow. However, the impact extends beyond the immediate user context due to the scope change characteristic, potentially affecting other applications relying on ZITADEL for authentication.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the /saml-post endpoint. When SAML response data is processed and reflected back to users, the application fails to properly escape special characters that could be interpreted as HTML or JavaScript. This allows attackers to inject malicious scripts that execute within the trusted domain context of the ZITADEL instance.
Attack Vector
An attacker exploits this vulnerability by crafting a malicious SAML request containing JavaScript payloads. The attack typically follows this sequence:
- The attacker prepares a specially crafted SAML request with embedded XSS payload
- The victim is lured to initiate authentication through a malicious link
- The request is processed by the /saml-post endpoint
- The malicious script executes in the victim's browser within the ZITADEL domain
- The script exfiltrates session tokens, cookies, or credentials to an attacker-controlled server
- The attacker uses the stolen credentials to impersonate the victim
The vulnerability manifests in the SAML POST binding handler where response data is rendered without proper sanitization. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-29191
Indicators of Compromise
- Unusual JavaScript execution patterns in authentication flow logs
- Unexpected outbound connections from user browsers during SAML authentication
- Session tokens or authentication cookies being transmitted to external domains
- Anomalous SAML requests containing encoded script tags or event handlers
- Reports of unauthorized account access following SAML-based authentication
Detection Strategies
- Monitor web application logs for SAML requests containing suspicious patterns such as <script>, javascript:, or encoded variants
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Deploy web application firewall (WAF) rules to identify XSS payloads in SAML parameters
- Enable browser-side XSS auditing and monitor for triggered protections
Monitoring Recommendations
- Audit all SAML authentication endpoints for anomalous request patterns
- Configure alerting for multiple failed authentication attempts followed by successful sessions
- Review access logs for the /saml-post endpoint and flag requests with unusual payloads
- Implement real-time monitoring of session creation events for signs of hijacking
How to Mitigate CVE-2026-29191
Immediate Actions Required
- Upgrade ZITADEL to version 4.12.0 or later immediately
- Review authentication logs for signs of exploitation attempts
- Invalidate active sessions for users who may have been exposed to malicious links
- Implement additional input validation at the network perimeter using WAF rules
Patch Information
ZITADEL has addressed this vulnerability in version 4.12.0. Organizations should upgrade to this version or later to remediate the XSS vulnerability. The fix implements proper input sanitization and output encoding for the /saml-post endpoint. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Implement strict Content Security Policy headers to prevent inline script execution as a defense-in-depth measure
- Deploy a web application firewall with XSS filtering rules in front of ZITADEL instances
- Restrict access to the ZITADEL login interface to trusted networks where feasible
- Monitor and rate-limit requests to the /saml-post endpoint to reduce exploitation windows
# Example Content Security Policy header configuration for nginx
# Add to your ZITADEL reverse proxy configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
