CVE-2026-55412: ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI
Summary
ToolJet, an open-source platform for building internal tools and AI agents, has an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into making unintended HTTP requests) in versions before 3.20.178-lts. The RestAPI data source component only checks hostnames but not the actual IP addresses they resolve to, allowing attackers to use specially crafted domain names like 169.254.169.254.nip.io to reach Azure IMDS (Azure Instance Metadata Service, which stores sensitive cloud credentials) and steal authentication tokens for production systems.
Solution / Mitigation
Update ToolJet to version 3.20.178-lts or later, which contains the fix for this vulnerability.
Vulnerability Details
8.3(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
network
low
none
none
June 25, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-55412
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%