1-Click Vulnerability in ZITADEL Enables Attackers to Take Over Entire Systems

A critical vulnerability has been uncovered in ZITADEL, the open‑source identity and access management (IAM) platform widely used by enterprises for secure authentication workflows.

The flaw, tracked as CVE‑2026‑29191, allows unauthenticated remote attackers to execute arbitrary JavaScript code directly inside a user’s browser, leading to password resets and potentially full system compromise with just a single click.

Vulnerability Details

Discovered by security researcher Amit Laish of GE Vernova, the bug affects ZITADEL versions 4.0.0 through 4.11.1 and resides in the login V2 interface, specifically the /saml-post

endpoint.

This endpoint, designed to handle SAML authentication flows, inadvertently introduces a Cross‑Site Scripting (XSS) weakness in its default configuration. Alarmingly, the flaw is exploitable even if SAML integration is not enabled.

The issue arises from how ZITADEL processes two HTTP GET parameters url and id when interacting with identity providers.

The server insecurely redirects users to a destination provided in the url parameter without validating it, allowing attackers to embed a javascript: scheme.

When a victim clicks such a crafted link, the browser immediately executes the injected script within the active ZITADEL session.

Since the injected code runs with the same privileges as a logged‑in user, it can perform any action on their behalf.

A particularly severe scenario involves silently triggering password reset requests, effectively locking legitimate users out of their accounts.

Because the attack requires only a single click on a malicious link sent via email, chat, or embedded in a phishing page it presents a 1‑click remote compromise vector.

Additionally, the /saml-post The endpoint reflects user input in its response without proper HTML encoding.

This output reflection creates a secondary injection point that expands the exploitable surface area for stored or reflected XSS attacks.

The ZITADEL team promptly released version 4.12.0, which fully patches this issue by removing the vulnerable /saml-post endpoint and restructuring the SAML architecture.

The update also enforces stricter password‑change validation, requiring users to re‑enter their existing credentials before updating them.

Security teams should upgrade immediately to version 4.12.0 or later. For environments unable to patch right away, administrators should:

• Block or filter traffic to /saml-post via a Web Application Firewall (WAF) or reverse proxy;
• Enforce Multi‑Factor Authentication (MFA) or passwordless login mechanisms to mitigate account‑takeover risk.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post 1-Click Vulnerability in ZITADEL Enables Attackers to Take Over Entire Systems appeared first on Cyber Security News.