Description
ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services. When the URL points to a local host / IP address, an adversary might gather information about the internal network structure, the services exposed on internal hosts etc. This is sometimes called a Server-Side Request Forgery (SSRF). Zitadel Actions expect responses according to specific schemas, which reduces the threat vector. The patch in version 4.11.1 resolves the issue by checking the target URL against a denylist. By default localhost, resp. loopback IPs are denied. Note that this fix was only released on v4.x. Due to the stage (preview / beta) in which the functionality was in v2.x and v3.x, the changes that have been applied to it since then and the severity, respectively the actual thread vector, a backport to the corresponding versions was not feasible. Please check the workaround section for alternative solutions if an upgrade to v4.x is not possible. If an upgrade is not possible, prevent actions from using unintended endpoints by setting network policies or firewall rules in one's own infrastructure. Note that this is outside of the functionality provided by Zitadel.
Published: 2026-02-26
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch Now
AI Analysis

Impact

Zitadel’s Action V2 allows developers to configure webhooks that trigger when identity events occur. The configured target URL for an action can point to any host, including localhost or private IP ranges. When an action is executed, the Zitadel server performs an outbound HTTP request to the supplied URL. This behavior can be abused as a server‑side request forgery, enabling an attacker to probe internal services, discover network topology, or access restricted resources that are otherwise unreachable from the public internet. The vulnerability is mitigated by the fact that the server expects responses to match specific schemas, limiting the usefulness of arbitrary payloads, but discovery and reconnaissance remain possible.

Affected Systems

The vulnerability affects Zitadel, an open‑source identity management platform, from Action V2 preview releases beginning at version 2.59.0, through the beta releases in the 3.x series, and up to the GA releases of the 4.x line through version 4.11.0. The issue is resolved in version 4.11.1 and later, where outbound action URLs are validated against a denylist that blocks localhost and loopback IPs. Earlier 4.x releases, as well as all 3.x and 2.x iterations, do not contain the fix.

Risk and Exploitability

The CVSS score of 2.1 indicates low overall severity, and the EPSS score of less than 1% reflects a very low probability that exploit attempts are currently observed. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need the ability to create or modify Action V2 configurations to exploit the SSRF vector. Once a vulnerable action exists, the attacker can use the resulting outbound request to collect information about internal hosts or services. The impact is primarily limited to internal reconnaissance and potential access to isolated services, rather than full system compromise or arbitrary code execution.

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Zitadel 4.11.1 or later so that outgoing action URLs are validated against a denylist that blocks localhost and loopback addresses.
  • If an upgrade is not possible, block outbound traffic from the Zitadel instance to private or local IP ranges using network policies or firewall rules, preventing actions from reaching internal endpoints.
  • Review existing Action V2 configurations and remove or modify any that target internal hosts or localhost URLs; if the feature is unused, disable Action V2 entirely to eliminate the SSRF vector.

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7777-fhq9-592v ZITADEL has potential SSRF via Actions
History

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Vendors & Products Zitadel
Zitadel zitadel

Thu, 26 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services. When the URL points to a local host / IP address, an adversary might gather information about the internal network structure, the services exposed on internal hosts etc. This is sometimes called a Server-Side Request Forgery (SSRF). Zitadel Actions expect responses according to specific schemas, which reduces the threat vector. The patch in version 4.11.1 resolves the issue by checking the target URL against a denylist. By default localhost, resp. loopback IPs are denied. Note that this fix was only released on v4.x. Due to the stage (preview / beta) in which the functionality was in v2.x and v3.x, the changes that have been applied to it since then and the severity, respectively the actual thread vector, a backport to the corresponding versions was not feasible. Please check the workaround section for alternative solutions if an upgrade to v4.x is not possible. If an upgrade is not possible, prevent actions from using unintended endpoints by setting network policies or firewall rules in one's own infrastructure. Note that this is outside of the functionality provided by Zitadel.
Title ZITADEL has potential SSRF via Actions
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zitadel Zitadel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:51:23.606Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27945

cve-icon Vulnrichment

Updated: 2026-02-26T16:51:14.388Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T01:16:25.800

Modified: 2026-03-05T16:04:24.587

Link: CVE-2026-27945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses