CVE Catalog

CVE-2026-55412

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

In ToolJet prior to version 3.20.178-lts, there is an SSRF vulnerability in the RestAPI data source component. The private IP filter only checks the hostname string, allowing bypassing of security and theft of Azure managed identity tokens.

Risk Assessment

This vulnerability allows authenticated users (even on the free tier) to steal identity tokens, potentially leading to unauthorized access to resources in the AKS production cluster.

Recommendation

It is recommended to upgrade to version 3.20.178-lts to mitigate this vulnerability and implement additional security measures to protect against SSRF attacks.

Original NVD description (English source)

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string — not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS