Zitadel Vulnerabilities
Comprehensive security vulnerability database for Zitadel products
2
2
0
0
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-29191 | 9.3 | This vulnerability allows an attacker to take over user accounts by exploiting a flaw in Zitadel's login interface, specifically through a cross-site scripting (XSS) attack on the /saml-post endpoint. It affects versions 4.0.0 to 4.11.1, and users should upgrade to version 4.12.0 to protect against this critical issue. | zitadelzitadel | Theoretical | about 1 month agoMar 7, 2026 |
| CVE-2026-29067 | 9.3 | An attacker can exploit a flaw in ZITADEL's password reset process to potentially intercept or manipulate the confirmation link sent to users, allowing them to reset passwords without authorization. This vulnerability affects versions from 4.0.0-rc.1 to 4.7.0 and requires the attacker to be able to send requests that include specific headers to the server. | zitadelzitadel | Theoretical | about 1 month agoMar 7, 2026 |
About Zitadel Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Zitadel products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.