Platform
go
Component
github.com/zitadel/zitadel
Opgelost in
2.59.1
4.11.1
1.80.0-v2.20.0.20260225053328-b2532e966621
CVE-2026-27945 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Zitadel, a component within github.com/zitadel/zitadel. Successful exploitation could allow an attacker to initiate requests to internal or external resources, potentially exposing sensitive data or facilitating unauthorized access. This vulnerability impacts versions prior to 4.11.1 and has been addressed in versions 4.11.1 and later.
The SSRF vulnerability in Zitadel allows an attacker to craft malicious requests that originate from the Zitadel server itself. This means an attacker could potentially access internal resources that are not directly exposed to the internet, such as internal APIs, databases, or cloud services. The impact could range from information disclosure (e.g., reading configuration files or internal data) to potentially escalating privileges within the Zitadel environment. While the CVSS score is LOW, the potential for internal reconnaissance and lateral movement should not be underestimated, particularly in environments with complex internal network architectures. This vulnerability shares characteristics with other SSRF vulnerabilities where attackers leverage trusted internal access to probe and exploit other systems.
CVE-2026-27945 was published on 2026-03-10. Its CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. No public Proof-of-Concept (POC) code has been publicly released as of this writing. The vulnerability is not currently listed on KEV or EPSS, suggesting no active exploitation campaigns are known. Refer to the Zitadel advisory for further details.
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-27945 is to upgrade Zitadel to version 4.11.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the Zitadel server using a Web Application Firewall (WAF) or proxy. Configure the WAF to block requests to suspicious or unauthorized domains and IP addresses. Carefully review and restrict any allowed outbound URLs within Zitadel's configuration. After upgrading, verify the fix by attempting to trigger an SSRF request through Zitadel's Actions functionality and confirming that the request is blocked or redirected.
Actualice ZITADEL a la versión 4.11.1 o superior. Si no es posible actualizar, configure políticas de red o reglas de firewall para evitar que las acciones utilicen endpoints no deseados.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-27945 is a Server-Side Request Forgery (SSRF) vulnerability in Zitadel, affecting versions before 4.11.1. It allows attackers to potentially trigger server-side requests, leading to information disclosure.
You are affected if you are using Zitadel versions prior to 4.11.1. Check your Zitadel version and upgrade immediately if vulnerable.
Upgrade Zitadel to version 4.11.1 or later. As a temporary workaround, restrict outbound network access using a WAF or proxy.
No active exploitation campaigns are currently known, and no public POC code has been released.
Refer to the Zitadel project's official advisory for the most up-to-date information and details regarding this vulnerability.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.