Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Network-reachable and low-complexity, but requires an authenticated account (PR:L); scope changes as the SSRF pivots to Azure IMDS, and stolen cloud tokens make confidentiality High.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string - not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts.
AnalysisAI
Server-side request forgery in ToolJet's RestAPI data source (versions prior to 3.20.178-lts) allows a low-privileged platform user to reach internal network endpoints because the private-IP filter validates only the hostname string rather than the resolved IP. By supplying a DNS name such as 169.254.169.254.nip.io, an attacker bypasses the filter and forces the server to query the Azure IMDS link-local endpoint, enabling theft of managed-identity tokens for the backing AKS production cluster. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated ToolJet account (the advisory states any free-tier user suffices) with the ability to create or edit a RestAPI data source, and a target deployment whose server can reach a cloud metadata endpoint - concretely demonstrated against Azure IMDS at 169.254.169.254 in an AKS-hosted instance with an attached managed identity. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward a genuine priority for ToolJet operators running in Azure/AKS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated free-tier ToolJet user creates a RestAPI data source pointing at http://169.254.169.254.nip.io/metadata/identity/oauth2/token (with the IMDS-required header), which resolves to the Azure link-local metadata address and slips past the hostname-only private-IP filter. ToolJet's server issues the request and returns the managed-identity access token to the attacker, who then uses it to authenticate to Azure and pivot into the AKS production cluster. … |
| Remediation | Upgrade to ToolJet 3.20.178-lts, which contains the fix, per advisory GHSA-h49f-mhmm-jx4w (https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all ToolJet instances and their current versions using deployment inventories; implement network-level restrictions blocking RestAPI data source outbound access to 169.254.169.254 and *.nip.io domains. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that w
Improper Access Control in GitHub repository tooljet/tooljet prior to v1.19.0. Rated high severity (CVSS 8.8), this vuln
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . Ra
Excessive Attack Surface in GitHub repository tooljet/tooljet prior to v1.16.0. Rated high severity (CVSS 8.0), this vul
Tooljet v1.6 does not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a
Account Takeover :: when see the info i can see the hash pass i can creaked it ............... Rated high severity (CVSS
Unrestricted file size limit can lead to DoS in tooljet/tooljet <1.27 by allowing a logged in attacker to upload profile
A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML v
Stored code injection in ToolJet self-hosted (prior to 3.20.178-lts) lets any authenticated builder-role user - availabl
ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside t
Just like in the previous report, an attacker could steal the account of different users. Rated medium severity (CVSS 4.
Cross-tenant credential decryption in ToolJet prior to 3.20.1780-lts allows any authenticated user to retrieve plaintext
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39469