Critical 1-Click Account Takeover Vulnerability Patched in ZITADEL IAM Platform

ZITADEL, an open-source identity and access management (IAM) platform, patched a critical security flaw that allows unauthenticated attackers to take over user accounts. 

The vulnerability is tracked as CVE-2026-29191 (CVSS score 9.6) - A cross-site scripting (XSS) vulnerability in the /saml-post endpoint that allows unauthenticated attackers to execute arbitrary JavaScript. The server fails to validate the url and id GET parameters, enabling attackers to inject a javascript: scheme that executes when a user clicks a crafted link. This bypasses standard origin protections by running code within the context of the victim's active session, allowing the attacker to perform actions like triggering silent password resets.

By executing malicious scripts in the user's browser, attackers can bypass authentication controls and modify account settings. 

The vulnerability affects ZITADEL versions 4.0.0 through 4.11.1, including all release candidate versions. Security researcher Amit Laish from GE Vernova discovered that the /saml-post endpoint reflects user input without proper HTML encoding, creating multiple injection points.

ZITADEL released version 4.12.0 to fix the flaw by completely removing the vulnerable /saml-post endpoint and restructuring the SAML integration. The update also introduces a security hardening measure that requires users to provide their current password before making any changes to their credentials. Organizations should update to version 4.12.0 immediately; those unable to patch should use a Web Application Firewall (WAF) to block access to the /saml-post path and enforce multi-factor authentication (MFA) to reduce the risk of account takeover.