CVE-2026-24902
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4Tags
Description
TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.
Analysis
TrustTunnel versions prior to 0.9.114 fail to validate private network restrictions when processing numeric IP addresses in TCP connections, enabling authenticated attackers to bypass SSRF protections and reach loopback or internal network targets. The vulnerability exists because IP-based connection requests skip the same security checks applied to hostname-based requests. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all TrustTunnel instances running versions prior to 0.9.114 and their configuration status regarding private network connections. Within 7 days: Apply vendor patch to upgrade all affected deployments to version 0.9.114 or later, prioritizing production VPN gateways. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today