PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56667 zitadel CVE debrief

CVE-2026-56667 is a HIGH severity vulnerability in ZITADEL's Login V2 OIDC and SAML. Prior to version 4.15.3, the platform's FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check. This allows an organization or instance administrator to store a javascript or data URI that can execute in a user's browser when an affected login error path is reached. The vulnerability exists due to insufficient validation of redirect URIs.

Vendor
zitadel
Product
Unknown
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of ZITADEL's Login V2 OIDC and SAML should be aware of this vulnerability and take steps to upgrade to version 4.15.3 or apply compensating controls. Operators, platform administrators, vulnerability management teams, and security teams may be impacted by this vulnerability.

Technical summary

The vulnerability exists in ZITADEL's Login V2 OIDC and SAML implementation. When a FailedPrecondition error occurs, the platform returns loginSettings.defaultRedirectUri to router.push without validating it through the isSafeRedirectUri check. This oversight enables an administrator to store malicious URIs, such as javascript or data URIs, which can be executed in a user's browser when they encounter an affected login error path.

Defensive priority

Upgrade to version 4.15.3 or apply compensating controls to validate redirect URIs. Monitor for suspicious activity on login error paths.

Recommended defensive actions

  • Upgrade to ZITADEL version 4.15.3 or later
  • Implement compensating controls to validate redirect URIs
  • Monitor for suspicious activity on login error paths
  • Review official advisories for affected scope and severity
  • Confirm whether affected product deployments exist in managed environments
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-07-10T18:16:24.283Z and last modified on 2026-07-10T21:16:57.810Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify affected ZITADEL deployments and review official advisories for scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T18:16:24.283Z and has not been modified since then. The NVD entry is currently Deferred.