Skip to main content

Zitadel CVE-2026-55671

| EUVDEUVD-2026-42978 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-18 https://github.com/zitadel/zitadel GHSA-29jh-8cfq-rr8x
2.3
CVSS 4.0 · Vendor: https://github.com/zitadel/zitadel

Severity by source

Vendor (https://github.com/zitadel/zitadel) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

URL configuration requires low-privilege authenticated access; scope changes because SSRF reaches systems outside Zitadel's security boundary, with high confidentiality impact from potential cloud metadata access.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (https://github.com/zitadel/zitadel).

CVSS VectorVendor: https://github.com/zitadel/zitadel

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 10, 2026 - 18:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
Jun 18, 2026 - 14:01 vuln.today
Analysis Generated
Jun 18, 2026 - 14:01 vuln.today

DescriptionCVE.org

Summary

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting:

  • HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks.
  • OIDC BackChannel Logout: Terminates sessions across different applications. When a session ends, the Zitadel server sends an HTTP POST request to configured endpoints.
  • SAML Metadata URL Fetches: Fetches SAML metadata configurations from user-provided external URLs.

User-defined URLs in these components were not properly validated against an internal denylist, allowing potentially malicious URLs to bypass restrictions. Furthermore, the existing denylist mechanism previously introduced for Actions was found to be vulnerable to DNS rebinding, HTTP redirects, and protocol downgrades (HTTPS to HTTP), and it missed several common local network default entries.

Because an attacker can supply arbitrary URLs-including loopback addresses, internal IPs, or cloud link-local addresses-they could potentially gather internal network architecture details, scan internal ports, or interact with unauthorized internal services and infrastructure.

Impact

When a user-supplied URL points to a local host or internal IP address, an adversary can perform a Server-Side Request Forgery (SSRF) attack. This allows them to map internal network structures and exploit exposed internal services.

By leveraging DNS rebinding, an attacker could also bypass standard DNS-level checks, creating Time-of-Check to Time-of-Use (TOCTOU) gaps to access restricted internal endpoints. Additionally, vulnerabilities to HTTP redirects and protocol downgrades could allow attackers to manipulate the request flow or intercept sensitive communication.

Notably, if Zitadel is deployed within cloud environments (such as AWS, GCP, or Azure) that still permit legacy IMDSv1 or unauthenticated cloud metadata endpoints (169.254.169.254), an attacker could theoretically attempt to target these metadata services.

While Zitadel expects specific schemas or response formats for these features (which inherently limits data exfiltration capabilities and reduces the severe execution of the threat vector), users are strongly advised to patch immediately.

Affected Versions

Systems running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.15.1 (including RC versions)
  • 3.x: 3.0.0 through 3.4.11 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by securely validating target URLs against a hardened denylist. By default, localhost, loopback IPs, and standard internal network blocks are denied.

Note on Backports: This fix was only released on v4.x. While some of the affected components were generally available (GA), backporting the security fix to v3.x was not feasible due to the extensive code refactoring required to implement the unified network client securely. Please check the workarounds section if an upgrade to v4.x is not immediately possible.

  • 4.x: Upgrade to $\ge$4.15.2
  • 3.x: Update to $\ge$v4.15.2 or check out workarounds

Workarounds

The recommended solution is to update Zitadel to a patched version.

If an immediate upgrade is not possible, you can mitigate the risk by implementing strict network policies, egress firewalls, or reverse proxy rules within your infrastructure to block Zitadel from initiating outbound connections to your internal network, loopback interfaces, or cloud metadata endpoints. Note that managing these network controls is outside the scope of Zitadel's native configurations.

Questions

If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)

Credits

Thanks to everyone who reported this or a part of the vulnerability:

AnalysisAI

Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain application configuration access in Zitadel
Delivery
Register internal or cloud metadata URL in OIDC/SAML/webhook config
Exploit
Trigger session termination or notification event
Execution
Zitadel server issues HTTP POST to internal endpoint
Impact
Receive response containing internal service data or cloud credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated user with one of the following specific configuration privileges in Zitadel: the ability to register or modify an OIDC application's BackChannel Logout endpoint URL, the ability to configure a SAML identity provider metadata fetch URL, or the ability to configure an HTTP Notification Channel webhook URL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor-supplied CVSS vector is available; risk is assessed from contextual signals only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with application owner privileges in a Zitadel instance registers an OIDC application with a BackChannel Logout URL pointing to http://169.254.169.254/latest/meta-data/ (AWS IMDSv1). When any user session is terminated, Zitadel automatically issues an HTTP POST to the registered endpoint; the response flows back through the Zitadel server process, potentially exposing IAM role credentials. …
Remediation The primary fix is to upgrade Zitadel to v4.15.2 or later (https://github.com/zitadel/zitadel/releases/tag/v4.15.2), which introduces a unified HTTPClient.DenyList enforced at the network dialer layer, blocking all RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local including cloud metadata endpoints (169.254.0.0/16), carrier-grade NAT (100.64.0.0/10), and full IPv6 equivalents. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy