CVE-2026-55412
Deferred Deferred - Pending Action
SSRF in ToolJet via RestAPI Data Source

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string β€” not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55412
EUVD
EUVD-2026-39469
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
tooljet tooljet to 3.20.178-lts (inc)
tooljet tooljet 3.20.178-lts
tooljet tooljet to 3.20.164-lts (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) in the RestAPI data source component of ToolJet versions prior to 3.20.178-lts. The RestAPI data source executes HTTP requests on the server side and attempts to filter private IP addresses by checking only the hostname string, not the resolved IP address. Attackers can exploit this by using DNS names like 169.254.169.254.nip.io, which resolve to the Azure Instance Metadata Service (IMDS) link-local address, bypassing the filter. This allows any authenticated user, even on the free tier, to steal Azure managed identity tokens for the AKS production cluster.

Impact Analysis

The vulnerability can have serious impacts including unauthorized access to sensitive Azure managed identity tokens. This can lead to attackers gaining access to the AKS production cluster, potentially allowing them to read, modify, or delete data, disrupt services, or escalate privileges within the environment.

Mitigation Strategies

To mitigate this vulnerability, upgrade ToolJet to version 3.20.178-lts or later, where the SSRF issue in the RestAPI data source component has been fixed.

Compliance Impact

This vulnerability allows authenticated users to steal Azure managed identity tokens and access sensitive Azure resources such as Azure Resource Manager, Blob Storage, and Key Vault. Such unauthorized access to sensitive data and cloud infrastructure can lead to data breaches and unauthorized data exposure.

Consequently, this can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, as well as protection against unauthorized access and data breaches.

Failure to remediate this vulnerability could result in non-compliance due to inadequate protection of sensitive information and insufficient network security controls.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious RestAPI queries that attempt to access Azure Instance Metadata Service (IMDS) endpoints using DNS names that resolve to link-local IP addresses, such as 169.254.169.254.nip.io.

To detect exploitation attempts, you can look for HTTP requests or logs where the hostname contains patterns like '169.254.169.254.nip.io' or other similar DNS names that resolve to private IP addresses.

Suggested commands include:

  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outgoing HTTP requests from the ToolJet server and filter for suspicious hostnames:
  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep '169.254.169.254.nip.io'
  • Check application logs for RestAPI queries containing suspicious hostnames.
  • Use DNS resolution commands to verify if suspicious hostnames resolve to private IPs:
  • dig 169.254.169.254.nip.io
  • nslookup 169.254.169.254.nip.io

Additionally, enabling SSRF protection and reviewing network segmentation can help prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart