CVE-2026-55412
HighCVSS 8.3Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
In ToolJet prior to version 3.20.178-lts, there is an SSRF vulnerability in the RestAPI data source component. The private IP filter only checks the hostname string, allowing bypassing of security and theft of Azure managed identity tokens.
Risk Assessment
This vulnerability allows authenticated users (even on the free tier) to steal identity tokens, potentially leading to unauthorized access to resources in the AKS production cluster.
Recommendation
It is recommended to upgrade to version 3.20.178-lts to mitigate this vulnerability and implement additional security measures to protect against SSRF attacks.
Original NVD description (English source)
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string — not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts.

