CVE-2026-27945
Received Received - Intake
SSRF Vulnerability in Zitadel Actions Allows Internal Network Access

Publication date: 2026-02-26

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services. When the URL points to a local host / IP address, an adversary might gather information about the internal network structure, the services exposed on internal hosts etc. This is sometimes called a Server-Side Request Forgery (SSRF). Zitadel Actions expect responses according to specific schemas, which reduces the threat vector. The patch in version 4.11.1 resolves the issue by checking the target URL against a denylist. By default localhost, resp. loopback IPs are denied. Note that this fix was only released on v4.x. Due to the stage (preview / beta) in which the functionality was in v2.x and v3.x, the changes that have been applied to it since then and the severity, respectively the actual thread vector, a backport to the corresponding versions was not feasible. Please check the workaround section for alternative solutions if an upgrade to v4.x is not possible. If an upgrade is not possible, prevent actions from using unintended endpoints by setting network policies or firewall rules in one's own infrastructure. Note that this is outside of the functionality provided by Zitadel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-05
Generated
2026-05-07
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27945
EUVD
EUVD-2026-8793
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zitadel zitadel From 2.59.0 (inc) to 3.4.6 (inc)
zitadel zitadel From 4.0.0 (inc) to 4.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-27945 is a Server-Side Request Forgery (SSRF) vulnerability in Zitadel's Action V2 feature, which is a webhook-based mechanism allowing developers to customize API request flows such as token issuance."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because Zitadel Action target URLs can point to local hosts or internal IP addresses, enabling attackers to perform SSRF attacks by making the system send requests to internal services.'}, {'type': 'paragraph', 'content': 'This can allow an adversary to gather information about the internal network structure and access internal services that are not exposed externally.'}, {'type': 'paragraph', 'content': 'Although Zitadel expects responses to conform to specific schemas, which limits the attack surface, the risk remains significant.'}, {'type': 'paragraph', 'content': 'The vulnerability was patched in version 4.11.1 by implementing a denylist blocking requests to localhost and loopback IP addresses.'}] [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker with high privileges within the system to gather information about your internal network structure and access internal services that are not normally exposed externally.

The impact is limited to low confidentiality and integrity risks, with no effect on system availability.

There is no need for user interaction, but the attacker must have high privileges to exploit this vulnerability.

Overall, the vulnerability could lead to limited disclosure of internal network information, which might aid further attacks or reconnaissance.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves Zitadel Action V2 making requests to local hosts or internal IP addresses, which can be detected by monitoring network traffic for such internal requests originating from Zitadel.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation, you can inspect logs or network traffic for outbound HTTP requests from Zitadel to localhost or internal IP ranges.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network monitoring tools or command-line utilities to capture and filter such traffic, for example:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP requests to local IPs: tcpdump -i <interface> 'dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16'"}, {'type': 'list_item', 'content': 'Using curl or wget to test if Zitadel Actions are configured to call local endpoints.'}, {'type': 'list_item', 'content': 'Review Zitadel Action configurations or logs for URLs pointing to localhost or internal IP addresses.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Zitadel to version 4.11.1 or later, where the vulnerability is patched by implementing a denylist blocking requests to localhost and loopback IP addresses.'}, {'type': 'paragraph', 'content': 'If upgrading is not possible, immediate steps include enforcing network policies or firewall rules to prevent Zitadel Actions from accessing unintended internal endpoints such as localhost or internal IP ranges.'}, {'type': 'paragraph', 'content': "These mitigations are external to Zitadel's functionality and should be implemented within your infrastructure to block SSRF attempts."}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart