Back to overview

CVE-2026-56667

HIGH
7.3
CVSS 3.1
Description
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. This issue is fixed in version 4.15.3.

Metadata

CVE ID
CVE-2026-56667
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-22 16:39 UTC
Published
2026-07-10 17:25 UTC
Last updated
2026-07-10 17:25 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
zitadel / zitadel
Sources
cve.org  ·  NVD

Severity & Metrics

7.3 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
zitadel zitadel < 4.15.3
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.3 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
References (3)
Back to overview