ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NZitadel
APPZitadel4.0.0 – 4.12.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
Related vulnerabilities
CVE-2025-67494CRITICAL9.3PL ✓ten sam produkt
SSRF bez uwierzytelnienia w ZITADEL — odczyt wewnętrznych zasobów sieciowych
CVE-2025-27507CRITICAL9.0PL ✓ten sam produkt
IDOR w Zitadel Admin API umożliwia modyfikację wrażliwych ustawień
CVE-2026-44671HIGH7.5ten sam produkt
ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerabil...
CVE-2026-32131HIGH7.7ten sam produkt
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel'...
CVE-2026-32130HIGH7.5ten sam produkt
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provid...