CVE-2026-55412 | ToolJet is the open-source foundation am AI-native platform … | CVSS 8.3 HIGH

Description

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string — not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts.

Metadata

CVE ID: CVE-2026-55412
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 21:48 UTC
Published: 2026-06-25 16:07 UTC
Last updated: 2026-06-25 17:40 UTC
Primary CWE: CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product: ToolJet / ToolJet
Sources: cve.org · NVD

Severity & Metrics

8.3 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
ToolJet	ToolJet	—	< 3.20.178-lts

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.3	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References (1)

https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w