DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27945: ZITADEL Actions V2 Server-Side Request Forgery (SSRF)

#security #cve #cybersecurity

ZITADEL Actions V2 Server-Side Request Forgery (SSRF)

Vulnerability ID: CVE-2026-27945
CVSS Score: 2.1
Published: 2026-02-27

A Server-Side Request Forgery (SSRF) vulnerability exists in the ZITADEL identity management platform within the Actions V2 execution engine. The vulnerability allows authenticated administrators with permission to configure Actions to define webhook targets that resolve to local or internal network addresses. This flaw enables high-privileged attackers to probe the internal network structure, access cloud instance metadata services, or interact with local services bound to the loopback interface, bypassing network perimeter controls.

TL;DR

ZITADEL Actions V2 fails to validate webhook target URLs against a deny-list. Authenticated admins can exploit this to send HTTP requests to the loopback interface or internal network services (SSRF). Fixed in version 4.11.1.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-27945
  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v4.0: 2.1 (Low)
  • Privileges Required: High (Admin)
  • EPSS Score: 0.03%

Affected Systems

  • ZITADEL Identity Management System
  • ZITADEL: >= 2.59.0 < 4.11.1 (Fixed in: 4.11.1)

Code Analysis

Commit: b2532e9

Implementation of denylist check in Actions HTTP module

func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { ... if t.denyList.IsBlocked(host) ... }
Enter fullscreen mode Exit fullscreen mode

Commit: bdae824

Commit introducing the vulnerable Actions V2 feature

Unknown
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Context: Advisory describing the theoretical attack via configured Actions

Mitigation Strategies

  • Application Patching
  • Input Validation (Deny List)
  • Network Segmentation
  • Egress Filtering

Remediation Steps:

  1. Upgrade ZITADEL to version 4.11.1 or later.
  2. Configure ZITADEL_EXECUTIONS_DENYLIST to include RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254).
  3. Apply Kubernetes NetworkPolicies to restrict ZITADEL pod egress traffic.
  4. Audit existing Actions for suspicious target URLs pointing to internal resources.

References

Read the full report for CVE-2026-27945 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)