CVE-2026-55412

HIGH 8.3

ToolJet Cloud - SSRF to Azure Cloud Infrastructure Compromise

CVSS Score

8.3

EPSS Score

0.0%

EPSS Percentile

0th

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string — not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts.

CWE	CWE-918
Vendor	tooljet
Product	tooljet
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for tooljet tooljet

Be the first to know when new high vulnerabilities affecting tooljet tooljet are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

ToolJet / ToolJet

< 3.20.178-lts

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w