Server-Side Request Forgery in ToolJet Affects Azure Managed Identity Tokens
CVE-2026-55412

8.3HIGH

Key Information:

Vendor: Tooljet
Status: Tooljet
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-55412?

ToolJet, an open-source platform for creating internal tools, is vulnerable to a Server-Side Request Forgery (SSRF) issue in its RestAPI data source component prior to version 3.20.178-lts. The vulnerability arises from an improper filter on private IP addresses, allowing authenticated users to exploit DNS names, such as 169.254.169.254.nip.io. This misconfiguration enables attackers to bypass security measures and gain unauthorized access to Azure managed identity tokens. This issue has been addressed in the latest update, emphasizing the importance of maintaining updated software to prevent exploitation.

Affected Version(s)

ToolJet < 3.20.178-lts

References

https://github.com/ToolJet/ToolJet/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55412 Data

JSON

Tooljet

What is CVE-2026-55412?

Affected Version(s)

References

CVSS V3.1

Timeline