A critical vulnerability exists in ZITADEL, an open-source identity infrastructure tool, that allows an unauthenticated attacker to bypass network security controls. By manipulating a specific HTTP header, an attacker can force the server to access internal network resources and steal sensitive data. This flaw poses a significant risk of data exfiltration and further network compromise.

The vulnerability is a full-read Server-Side Request Forgery (SSRF). The ZITADEL Login UI (V2) improperly trusts the x-zitadel-forward-host HTTP header, which is intended as a fallback mechanism. An unauthenticated attacker can craft a request to the ZITADEL server and set this header to an arbitrary internal IP address or domain. The server will then initiate a connection to the specified internal target and forward the full response back to the attacker, effectively acting as a proxy into the internal network.

This vulnerability is rated as critical severity with a CVSS score of 9.3. Successful exploitation could have a severe impact on the organization, leading to the exfiltration of sensitive internal data, such as database credentials, API keys, and information from internal services that are not exposed to the internet. An attacker could use this flaw to scan the internal network, bypass firewall rules and network segmentation, and potentially pivot to other systems within the corporate network, leading to a significant data breach and operational disruption.

Immediate Action: Upgrade all affected ZITADEL instances to the patched version 4.7.1 or later. After patching, review access logs and outbound network traffic from ZITADEL servers for any signs of compromise or exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should monitor web server and application logs for incoming requests containing the x-zitadel-forward-host header, especially those with values pointing to internal or unexpected domains. Monitor egress network traffic from ZITADEL servers for connections to unusual internal IP addresses or ports. An increase in anomalous responses or connection errors could indicate scanning or exploitation activity.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to inspect and block or strip the x-zitadel-forward-host header from all incoming requests to ZITADEL instances. Additionally, apply strict egress filtering rules on the host firewall of the ZITADEL server to limit its ability to make outbound connections to only known and required destinations.

Public Exploit Available: false

Due to the critical 9.3 CVSS score and the direct risk of internal data exfiltration, we strongly recommend that organizations prioritize patching all vulnerable ZITADEL instances immediately. The ability for an unauthenticated attacker to bypass network perimeters presents a clear and present danger. Although this CVE is not yet on the CISA KEV list, its severity makes it a prime target for opportunistic and sophisticated threat actors. Immediate remediation is the most effective course of action to prevent a potential compromise.