Server-Side Request Forgery in ZITADEL Identity Management Platform
CVE-2026-55671
2.3LOW
What is CVE-2026-55671?
The ZITADEL Identity Management Platform versions 4.0.0-rc.1 through 4.15.1 contain a vulnerability that permits server-side request forgery. This occurs due to inadequate validation of user-defined URLs within ZITADEL's HTTP notification channels, OIDC BackChannel Logout functions, and SAML metadata URL fetches. As a result, malicious actors may exploit this to redirect server requests to loopback addresses or other unprotected internal and external endpoints. This issue is resolved in version 4.15.2, which includes enhanced protections against such vulnerabilities.
Affected Version(s)
zitadel < 4.15.2
