What is the CVSS score of CVE-2026-24902?

CVE-2026-24902 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Trusttunnel are affected by CVE-2026-24902?

TrustTunnel VPN deployments with private network restrictions disabled are vulnerable to server-side request forgery attacks that could allow attackers to access internal resources and bypass network…. A patch is available.

Is there a public PoC exploit available for CVE-2026-24902?

Yes, a public proof-of-concept exploit is available for CVE-2026-24902. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-24902?

Within 24 hours: Identify all TrustTunnel instances running versions prior to 0.9.114 and their configuration status regarding private network connections. Within 7 days: Apply vendor patch to upgrade all affected deployments to version 0.9.114 or later, prioritizing production VPN gateways. Within 30 days: Conduct network segmentation audit to verify private network restrictions are properly enforced and review VPN access logs for signs of exploitation.

Trusttunnel CVE-2026-24902

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-01-29 security-advisories@github.com

SSRF Trusttunnel

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Feb 20, 2026 - 20:57 vuln.today

Public exploit code

Patch released

Feb 20, 2026 - 20:57 nvd

Patch available

CVE Published

Jan 29, 2026 - 22:15 nvd

HIGH 7.1

DescriptionGitHub Advisory

TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In tcp_forwarder.rs, SSRF protection for allow_private_network_connections = false was only applied in the TcpDestination::HostName(peer) path. The TcpDestination::Address(peer) => peer path proceeded to TcpStream::connect() without equivalent checks (for example is_global_ip, is_loopback), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.

AnalysisAI

TrustTunnel versions prior to 0.9.114 fail to validate private network restrictions when processing numeric IP addresses in TCP connections, enabling authenticated attackers to bypass SSRF protections and reach loopback or internal network targets. The vulnerability exists because IP-based connection requests skip the same security checks applied to hostname-based requests. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to TrustTunnel VPN

Exploit

Supply numeric IP address in connection request

Execution

Bypass SSRF checks on Address path

Impact

Connect to private/loopback network targets