CVE-2026-55671
Deferred Deferred - Pending Action

Stored SSRF in ZITADEL Identity Management Platform

Vulnerability report for CVE-2026-55671, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
zitadel zitadel From 4.0.0 (inc) to 4.15.1 (inc)
zitadel zitadel From 3.0.0 (inc) to 3.4.11 (inc)
zitadel zitadel 4.15.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Zitadel allows server-side request forgery (SSRF) attacks that could enable attackers to access internal network resources or cloud metadata endpoints. This could potentially lead to unauthorized access to sensitive information or internal systems.

Such unauthorized access risks could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access and breaches.

However, the provided information does not explicitly state the direct impact on compliance with these regulations or mention any compliance-related consequences.

Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in the ZITADEL identity management platform affecting versions 4.0.0-rc.1 through 4.15.1. It occurs because ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against a protected denylist. This allows attackers to bypass restrictions and make the server send requests to internal or loopback IP addresses, link-local addresses, or redirected endpoints by exploiting DNS rebinding, HTTP redirects, or protocol downgrades.

The vulnerability arises from improper validation of URLs and weaknesses in the denylist mechanism, which can be circumvented to access internal network resources or services that should be protected.

Impact Analysis

This vulnerability can allow an attacker to make the ZITADEL server perform unauthorized requests to internal network resources, including loopback addresses, internal IPs, or cloud metadata services like IMDSv1. This can lead to information disclosure about internal network details, port scanning, or interaction with unauthorized internal services.

Such unauthorized access could be leveraged to gather sensitive information or potentially facilitate further attacks within the internal network environment.

Detection Guidance

This vulnerability involves Server-Side Request Forgery (SSRF) through HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches that bypass denylist protections. Detection involves monitoring outgoing HTTP requests from the Zitadel server to internal, loopback, or link-local IP addresses, or unusual redirects.

Suggested detection methods include inspecting network traffic for unexpected outbound connections to internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16) or DNS rebinding attempts.

  • Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the Zitadel server.
  • Example tcpdump command to monitor outgoing HTTP traffic to private IP ranges: sudo tcpdump -i <interface> 'dst net 10.0.0.0/8 or dst net 192.168.0.0/16 or dst net 127.0.0.0/8 and tcp port 80'
  • Check application logs for HTTP requests made by Zitadel to user-defined URLs, especially those that resolve to internal IPs or show redirects.
  • Use curl or similar tools to test URL validation by Zitadel components if possible, attempting to supply URLs pointing to internal IPs or localhost to see if they are accepted.
Mitigation Strategies

The primary mitigation is to upgrade Zitadel to version 4.15.2 or later, where the vulnerability is fixed by implementing a protected HTTP client with denylist enforcement, timeout, redirect, and protocol downgrade protections.

If upgrading immediately is not possible, implement network-level controls such as firewall rules or network policies to block Zitadel servers from making outbound HTTP requests to internal, loopback, or link-local IP addresses.

  • Apply firewall rules to block outbound connections to private IP ranges (e.g., 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16).
  • Restrict Zitadel configuration to disallow user-defined URLs that resolve to internal or loopback addresses.
  • Monitor and audit outgoing HTTP requests from Zitadel components to detect and block suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55671. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart