ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
Description
Summary
A Server-Side Request Forgery (SSRF) vulnerability was discovered in Zitadel affecting:
- HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks.
- OIDC BackChannel Logout: Terminates sessions across different applications. When a session ends, the Zitadel server sends an HTTP POST request to configured endpoints.
- SAML Metadata URL Fetches: Fetches SAML metadata configurations from user-provided external URLs.
User-defined URLs in these components were not properly validated against an internal denylist, allowing potentially malicious URLs to bypass restrictions. Furthermore, the existing denylist mechanism previously introduced for Actions was found to be vulnerable to DNS rebinding, HTTP redirects, and protocol downgrades (HTTPS to HTTP), and it missed several common local network default entries.
Because an attacker can supply arbitrary URLs—including loopback addresses, internal IPs, or cloud link-local addresses—they could potentially gather internal network architecture details, scan internal ports, or interact with unauthorized internal services and infrastructure.
Impact
When a user-supplied URL points to a local host or internal IP address, an adversary can perform a Server-Side Request Forgery (SSRF) attack. This allows them to map internal network structures and exploit exposed internal services.
By leveraging DNS rebinding, an attacker could also bypass standard DNS-level checks, creating Time-of-Check to Time-of-Use (TOCTOU) gaps to access restricted internal endpoints. Additionally, vulnerabilities to HTTP redirects and protocol downgrades could allow attackers to manipulate the request flow or intercept sensitive communication.
Notably, if Zitadel is deployed within cloud environments (such as AWS, GCP, or Azure) that still permit legacy IMDSv1 or unauthenticated cloud metadata endpoints (169.254.169.254), an attacker could theoretically attempt to target these metadata services.
While Zitadel expects specific schemas or response formats for these features (which inherently limits data exfiltration capabilities and reduces the severe execution of the threat vector), users are strongly advised to patch immediately.
Affected
Versions
Systems running one of the following versions are affected:
- 4.x:
4.0.0through4.15.1(including RC versions) - 3.x:
3.0.0through3.4.11(including RC versions)
Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by securely validating target URLs against a hardened denylist. By default, localhost, loopback IPs, and standard internal network blocks are denied.
Note on Backports: This fix was only released on v4.x. While some of the affected components were generally available (GA), backporting the security fix to v3.x was not feasible due to the extensive code refactoring required to implement the unified network client securely. Please check the workarounds section if an upgrade to v4.x is not immediately possible.
Workarounds
The recommended solution is to update Zitadel to a patched version.
If an immediate upgrade is not possible, you can mitigate the risk by implementing strict network policies, egress firewalls, or reverse proxy rules within your infrastructure to block Zitadel from initiating outbound connections to your internal network, loopback interfaces, or cloud metadata endpoints. Note that managing these network controls is outside the scope of Zitadel's native configurations.
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to everyone who reported this or a part of the vulnerability:
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"User-supplied URLs in HTTP notification channels, OIDC backchannel logout, and SAML metadata fetches were not properly validated against an internal denylist, and the existing denylist was vulnerable to DNS rebinding, HTTP redirects, and protocol downgrades."
Attack vector
An attacker who can configure a Zitadel application (e.g., an OIDC app with a backchannel logout URI, an HTTP notification channel, or a SAML metadata URL) can supply a URL pointing to a loopback address, internal IP, or cloud metadata endpoint (e.g., `169.254.169.254`). Because the existing denylist was incomplete and vulnerable to DNS rebinding, HTTP redirects, and protocol downgrades [ref_id=1], the server would make an HTTP request to that internal target. This allows the attacker to scan internal ports, probe internal services, or interact with cloud metadata services if IMDSv1 is enabled.
Affected code
The vulnerability affects URL validation in HTTP Notification Channels, OIDC BackChannel Logout, and SAML Metadata URL fetches. The patch modifies `internal/command/project_application_oidc_test.go` to add denylist checks for backchannel logout URIs, and `internal/notification/handlers/config_email_test.go` and `internal/notification/handlers/config_sms_test.go` to validate webhook endpoints against a denylist. A new HTTP client with denylist support is wired in via `internal/api/http/client_test.go` and the setup code in `Setup()`.
What the fix does
The patch introduces a global denylist (`config.HTTPClient.DenyList`) and a unified HTTP client that validates all outbound URLs against it before making requests [patch_id=6467415]. It adds `denylist.AddressChecker` entries to block localhost, loopback IPs, and internal network blocks. The denylist is injected into the command layer (for backchannel logout URI validation) and the notification handlers (for webhook endpoint validation). This prevents SSRF by rejecting requests to blocked addresses at the point of configuration and at runtime.
Preconditions
- authThe attacker must be able to configure an OIDC application's backchannel logout URI, an HTTP notification channel, or a SAML metadata URL in Zitadel.
- networkThe Zitadel server must be deployed in an environment where internal services or cloud metadata endpoints are reachable (e.g., no network-level egress filtering).
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.