Christopher Baumann

**Name of the Vulnerable Software and Affected Versions** ZITADEL versions 2.59.0 through 4.10.0 **Description** ZITADEL is an open source identity management platform. The Zitadel Action V2 feature, introduced as an early preview in version 2.59.0, beta in 3.0.0, and generally available in 4.0.0, allows developers to customize flows using webhooks. The Action target URLs can point to local hosts, potentially allowing adversaries to gather internal network information and connect to internal services. This is a Server-Side Request Forgery (SSRF) issue. Zitadel Actions expect responses according to specific schemas, which reduces the threat vector. The issue is resolved in version 4.11.1 by checking the target URL against a denylist, denying localhost and loopback IPs by default. A backport to versions 2.x and 3.x was not feasible due to the stage of the functionality and the changes applied since then. **Recommendations** Upgrade to version 4.11.1 or later. If an upgrade is not possible, prevent actions from using unintended endpoints by setting network policies or firewall rules in your infrastructure.