CVE-2026-27945: ZITADEL has potential SSRF via Actions

February 27, 2026

ZITADEL Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token.

ZITADEL’s Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services.

References

github.com/advisories/GHSA-7777-fhq9-592v
github.com/zitadel/zitadel
github.com/zitadel/zitadel/commit/b2532e9666215bef04855d138ca716045bb74a06
github.com/zitadel/zitadel/releases/tag/v4.11.1
github.com/zitadel/zitadel/security/advisories/GHSA-7777-fhq9-592v
nvd.nist.gov/vuln/detail/CVE-2026-27945

Code Behaviors & Features

Detect and mitigate CVE-2026-27945 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →