Server-Side Request Forgery in ZITADEL Identity Management Platform
CVE-2026-55671

2.3LOW

Key Information:

Vendor

Zitadel

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55671?

The ZITADEL Identity Management Platform versions 4.0.0-rc.1 through 4.15.1 contain a vulnerability that permits server-side request forgery. This occurs due to inadequate validation of user-defined URLs within ZITADEL's HTTP notification channels, OIDC BackChannel Logout functions, and SAML metadata URL fetches. As a result, malicious actors may exploit this to redirect server requests to loopback addresses or other unprotected internal and external endpoints. This issue is resolved in version 4.15.2, which includes enhanced protections against such vulnerabilities.

Affected Version(s)

zitadel < 4.15.2

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.