CVE-2026-55671

LOWPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components

Summary

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting:

* HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. * OIDC BackChannel Logout: Terminates sessions across different applications. When a session ends, the Zitadel server sends an HTTP POST request to configured endpoints. * SAML Metadata URL Fetches: Fetches SAML metadata configurations from user-provided external URLs.

User-defined URLs in these components were not properly validated against an internal denylist, allowing potentially malicious URLs to bypass restrictions. Furthermore, the existing denylist mechanism previously introduced for Actions was found to be vulnerable to DNS rebinding, HTTP redirects, and protocol downgrades (HTTPS to HTTP), and it missed several common local network default entries.

Because an attacker can supply arbitrary URLs—including loopback addresses, internal IPs, or cloud link-local addresses—they could potentially gather internal network architecture details, scan internal ports, or interact with unauthorized internal services and infrastructure.

Impact

When a user-supplied URL points to a local host or internal IP address, an adversary can perform a Server-Side Request Forgery (SSRF) attack. This allows them to map internal network structures and exploit exposed internal services.

By leveraging DNS rebinding, an attacker could also bypass standard DNS-level checks, creating Time-of-Check to Time-of-Use (TOCTOU) gaps to access restricted internal endpoints. Additionally, vulnerabilities to HTTP redirects and protocol downgrades could allow attackers to manipulate the request flow or intercept sensitive communication.

Notably, if Zitadel is deployed within cloud environments (such as AWS, GCP, or Azure) that still permit legacy IMDSv1 or unauthenticated cloud metadata endpoints (169.254.169.254), an attacker could theoretically attempt to target these metadata services.

While Zitadel expects specific schemas or response formats for these features (which inherently limits data exfiltration capabilities and reduces the severe execution of the threat vector), users are strongly advised to patch immediately.

Affected Versions

Systems running one of the following versions are affected:

* 4.x: 4.0.0 through 4.15.1 (including RC versions) * 3.x: 3.0.0 through 3.4.11 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by securely validating target URLs against a hardened denylist. By default, localhost, loopback IPs, and standard internal network blocks are denied.

Note on Backports: This fix was only released on v4.x. While some of the affected components were generally available (GA), backporting the security fix to v3.x was not feasible due to the extensive code refactoring required to implement the unified network client securely. Please check the workarounds section if an upgrade to v4.x is not immediately possible.

* 4.x: Upgrade to $\ge$4.15.2 * 3.x: Update to $\ge$v4.15.2 or check out workarounds

Workarounds

The recommended solution is to update Zitadel to a patched version.

If an immediate upgrade is not possible, you can mitigate the risk by implementing strict network policies, egress firewalls, or reverse proxy rules within your infrastructure to block Zitadel from initiating outbound connections to your internal network, loopback interfaces, or cloud metadata endpoints. Note that managing these network controls is outside the scope of Zitadel's native configurations.

Questions

If you have any questions or comments about this advisory, please email us at [email protected]

Credits

Thanks to everyone who reported this or a part of the vulnerability:

* cwanglab * wooseokdotkim * ffulbtech * 0xBassia * 5ud0 from Tarmo Technologies * alanturing881 * dungNHVhust and sondt99 * oduoke567 * DavidCarliez * eddieran * tikket1 * Wernerina * morimori-dev * vamsik2k5

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

June 18, 2026

Last Modified

June 18, 2026

Vendor Advisories for CVE-2026-55671(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/zitadel/zitadel1.80.0-v2.20.0.20260615133614-8e82ec1cb9a2

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-18 13:08 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-55671?
CVE-2026-55671 is a low vulnerability published on June 18, 2026. ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Summary A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting: HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to…
When was CVE-2026-55671 disclosed?
CVE-2026-55671 was first published in the National Vulnerability Database on June 18, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-55671?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55671, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-55671

Explore →

Is Your Infrastructure Affected by CVE-2026-55671?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.