CVE-2026-29192 HIGH

CVE-2026-29192: ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

Vendor Zitadel

Product zitadel

Weakness CWE-79 · XSS

Published March 7, 2026

Last update March 9, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0.

Key dates

02Disclosure timeline

March 7, 2026 CVE published

March 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-29192 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-11382 Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-46892 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-43294 WordPress Bold Timeline Lite plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-46976 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2021-24874 Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.31 - Reflected Cross-Site Scripting