CVE-2026-55671
Severity CVSS v4.0:
LOW
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2.
Impact
Base Score 4.0
2.30
Severity 4.0
LOW



