CVE-2026-56667 in ZITADEL
Summary
by MITRE • 07/10/2026
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. This issue is fixed in version 4.15.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability exists within ZITADEL's identity management platform where improper validation of redirect URIs during authentication error handling creates a potential security risk for organizations utilizing the system. This flaw specifically affects versions prior to 4.15.3 and impacts both OpenID Connect and Security Assertion Markup Language authentication protocols. The root cause lies in how the system handles failed precondition error conditions during the login process, where the default redirect URI configuration is directly passed to the router without proper sanitization or validation checks.
The technical implementation flaw stems from the absence of a critical safety check known as isSafeRedirectUri when processing error paths in the authentication flow. This validation mechanism is essential for preventing open redirect vulnerabilities that could allow attackers to craft malicious redirect URLs. When an authentication error occurs, the system retrieves the loginSettings.defaultRedirectUri value and immediately passes it to router.push without verifying whether the URI adheres to security policies. This oversight creates a pathway where administrators can inadvertently configure dangerous redirect URIs that contain javascript or data protocols.
The operational impact of this vulnerability extends beyond simple redirect behavior and represents a potential vector for cross-site scripting attacks within the authentication context. When users encounter authentication failures, they are redirected to potentially malicious URLs that could execute JavaScript code in their browser context. This scenario enables attackers to exploit the trust relationship between the user's browser and the identity platform, potentially leading to credential theft, session hijacking, or other malicious activities. The vulnerability is particularly concerning because it leverages legitimate administrative configuration capabilities to create security breaches.
Organizations using affected ZITADEL versions face significant risk exposure during authentication error conditions, as any administrator with access to redirect URI configuration can introduce dangerous patterns into the system. The fix implemented in version 4.15.3 addresses this by ensuring that all redirect URIs passed through the error handling paths undergo proper validation against safe redirect criteria before being processed. This mitigation aligns with established security practices for preventing open redirect vulnerabilities and demonstrates proper input validation techniques that should be applied to all authentication flow components.
The vulnerability class can be categorized under CWE-601 as an Open Redirect vulnerability, specifically manifesting in the error handling paths of the authentication system. From an ATT&CK framework perspective, this issue relates to T1566.002 which covers credential access through phishing attacks and T1071.004 for application layer protocol usage. The security implications extend to privilege escalation scenarios where attackers could leverage this vulnerability to manipulate user sessions or redirect users to malicious sites that appear legitimate within the authentication context. Organizations should immediately upgrade to version 4.15.3 or later to remediate this vulnerability and ensure proper validation of all redirect URIs in error handling paths.