CVE-2026-27945
published 2026-02-26CVE-2026-27945: ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook…
PriorityP339medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.23%
13.2th percentile
ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services. When the URL points to a local host / IP address, an adversary might gather information about the internal network structure, the services exposed on internal hosts etc. This is sometimes called a Server-Side Request Forgery (SSRF). Zitadel Actions expect responses according to specific schemas, which reduces the threat vector. The patch in version 4.11.1 resolves the issue by checking the target URL against a denylist. By default localhost, resp. loopback IPs are denied. Note that this fix was only released on v4.x. Due to the stage (preview / beta) in which the functionality was in v2.x and v3.x, the changes that have been applied to it since then and the severity, respectively the actual thread vector, a backport to the corresponding versions was not feasible. Please check the workaround section for alternative solutions if an upgrade to v4.x is not possible. If an upgrade is not possible, prevent actions from using unintended endpoints by setting network policies or firewall rules in one's own infrastructure. Note that this is outside of the functionality provided by Zitadel.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 1.80.0-v2.20.0.20260225053328-b2532e966621 | 1.80.0-v2.20.0.20260225053328-b2532e966621 |
| github.com | zitadel_zitadel_v2 | >= 0 < 1.80.0-v2.20.0.20260225053328-b2532e966621 | 1.80.0-v2.20.0.20260225053328-b2532e966621 |
| github.com | zitadel_zitadel_v2 | >= 2.59.0 < 4.11.1 | 4.11.1 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | 2.59.0 – 3.4.6 | — |
| zitadel | zitadel | >= 4.0.0 < 4.11.1 | 4.11.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel
osv·2026-03-10
CVE-2026-27945 ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel
ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel
ZITADEL has potential SSRF via Actions in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v2.59.0 before v4.11.1.
GHSA
ZITADEL has potential SSRF via Actions
ghsa·2026-02-27
CVE-2026-27945 [LOW] CWE-918 ZITADEL has potential SSRF via Actions
ZITADEL has potential SSRF via Actions
### Summary
ZITADEL Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token.
ZITADEL's Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services.
### Impact
When the URL points to a local host / IP address, an adversary might gather information about the internal network structure, the services exposed on internal hosts etc. This is sometimes called a Server-Side Request Forgery (SSRF).
ZITADEL Actions expect responses according to specific schemas, which reduces the threat vector.
### Affected Versions
Sys
OSV
ZITADEL has potential SSRF via Actions
osv·2026-02-27
CVE-2026-27945 [LOW] ZITADEL has potential SSRF via Actions
ZITADEL has potential SSRF via Actions
### Summary
ZITADEL Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token.
ZITADEL's Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services.
### Impact
When the URL points to a local host / IP address, an adversary might gather information about the internal network structure, the services exposed on internal hosts etc. This is sometimes called a Server-Side Request Forgery (SSRF).
ZITADEL Actions expect responses according to specific schemas, which reduces the threat vector.
### Affected Versions
Sys
No detection rules found.
No public exploits indexed.
2026-02-26
Published