FHN 
A critical security vulnerability has been discovered in ZITADEL, an open-source identity and access management platform used by many organizations for authentication and access control.
The vulnerability, tracked as CVE-2026-29191, affects the Login V2 interface, specifically the /saml-post endpoint. Attackers can exploit this issue to run malicious JavaScript in a user’s browser.
With a single click on a specially crafted link, an attacker could reset a user’s password and take full control of the account.
The issue was discovered by security researcher Amit Laish from GE Vernova. It impacts ZITADEL versions 4.0.0 through 4.11.1. The vulnerability exists in the default configuration, meaning systems may be exposed even if SAML integrations are not enabled.
The ZITADEL team has fixed the problem in version 4.12.0.
How the Attack Works
The vulnerability is related to how the /saml-post HTTP endpoint processes requests. This endpoint normally handles communication with SAML identity providers.
It accepts two parameters in requests:
• url
• id
When these parameters are used, the browser automatically sends an HTTP POST request to the specified URL.
The problem occurs because the application redirects users based on the user-supplied url parameter without proper validation. An attacker can create a malicious link using a javascript: scheme.
If a victim clicks the link, the malicious JavaScript runs immediately in the user’s browser session.
Another issue is that user input is reflected in the server response without proper HTML encoding. This creates another opportunity for attackers to inject malicious scripts.
Potential Impact
If attackers exploit this vulnerability, several serious security issues may occur:
• execution of malicious scripts in the victim’s browser
• hijacking of active user sessions
• silent password reset requests
• locking legitimate users out of their accounts
• full takeover of the affected account
Since identity platforms control access to multiple services, a compromised account could also expose other connected systems.
The vulnerability remains active even if SAML authentication is not configured.
Mitigation and Remediation
The ZITADEL development team has released a security patch to fix the issue.
Organizations should take the following actions:
• upgrade ZITADEL to version 4.12.0 or later
• enable multi-factor authentication (MFA) or passwordless login
• monitor authentication logs for unusual activity
• restrict access to sensitive authentication endpoints
The updated version removes the vulnerable /saml-post endpoint and redesigns the SAML integration for better security.
The platform also now requires the user’s current password when changing account credentials, which helps prevent unauthorized password resets.
If upgrading immediately is not possible and SAML integration is not required, administrators can temporarily block external access to the /saml-post endpoint using a web application firewall or reverse proxy rules.
Accounts protected with MFA or passwordless authentication are less likely to be affected by this specific attack.
About the Author
