CVE-2026-55411: ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI
Summary
ToolJet, an open-source platform for building internal tools and AI agents, had a security flaw in versions before 3.20.1780-lts where an authenticated endpoint (POST /api/data-sources/decrypt) could decrypt sensitive database credentials for any organization if you knew the credential ID, even if you weren't part of that organization. This is a cross-tenant confidentiality breach (unauthorized access to another organization's secrets) because the endpoint lacked proper security checks that other similar endpoints had.
Solution / Mitigation
Update ToolJet to version 3.20.1780-lts or later, where this vulnerability is fixed.
Vulnerability Details
6.8(medium)
EPSS: 0.0%
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
adjacent
low
low
none
June 25, 2026
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-55411
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%