Server-Side Request Forgery Vulnerability in ZITADEL Identity Management Platform
CVE-2026-27945

2.1LOW

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27945?

The ZITADEL Identity Management Platform's Action V2 feature is susceptible to a Server-Side Request Forgery (SSRF) vulnerability. This arises when URLs used in webhooks are directed to local hosts, creating a risk of unauthorized internal network exposure. Adversaries could exploit this flaw to gather sensitive information about the internal network layout and access internal services. The vulnerability was first introduced in early preview versions and persisted through beta stages. A fix has been implemented in version 4.11.1, which enhances security by validating target URLs against a denylist; specifically denying localhost and loopback IP addresses by default. Users of earlier versions are advised to implement network policies or firewall rules as a workaround to mitigate potential risks until upgrading is possible.

Affected Version(s)

zitadel >= 2.59.0, < 4.11.1

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v3.4.7
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v4.11.0
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.