ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string — not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts.
CVE-2026-55412
This high-severity CVE scores 8.3 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.2%, top 91% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.3
- EG Score
- 8.3(medium)
- EPSS
- 9.1%
- KEV
- Not listed
Published
June 25, 2026
Last Modified
June 25, 2026
Advisory Details (1)
Auto-updated Jun 25, 2026ToolJet Cloud - SSRF to Azure Cloud Infrastructure Compromise · Advisory · ToolJet/ToolJet · GitHub
https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4wWeakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 26× in last 7d / 68× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-14 02:16 UTCEG score recompute
- 2026-07-13 22:31 UTCEPSS rescore
- 2026-07-13 14:42 UTCEG score recompute
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 03:08 UTCEG score recompute
- 2026-07-12 15:32 UTCEG score recompute
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-12 03:54 UTCEG score recompute
- 2026-07-11 16:20 UTCEG score recompute
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 04:45 UTCEG score recompute
- 2026-07-10 17:10 UTCEG score recompute
- 2026-07-10 05:36 UTCEG score recompute
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 17:59 UTCEG score recompute
- 2026-07-09 06:25 UTCEG score recompute
- 2026-07-08 18:51 UTCEG score recompute
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 07:17 UTCEG score recompute
- 2026-07-07 19:35 UTCEG score recompute
- 2026-07-07 13:46 UTCEPSS rescore
Show 43 moreShow fewer
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 08:00 UTCEG score recompute
- 2026-07-06 20:26 UTCEG score recompute
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 08:38 UTCEG score recompute
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 21:00 UTCEG score recompute
- 2026-07-05 09:26 UTCEG score recompute
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 21:51 UTCEG score recompute
- 2026-07-04 10:17 UTCEG score recompute
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-03 22:41 UTCEG score recompute
- 2026-07-03 11:07 UTCEG score recompute
- 2026-07-02 23:28 UTCEG score recompute
- 2026-07-02 11:54 UTCEG score recompute
- 2026-07-02 00:19 UTCEG score recompute
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 12:43 UTCEG score recompute
- 2026-07-01 01:09 UTCEG score recompute
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 13:34 UTCEG score recompute
- 2026-06-30 02:00 UTCEG score recompute
- 2026-06-29 14:26 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 02:52 UTCEG score recompute
- 2026-06-28 15:18 UTCEG score recompute
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 03:44 UTCEG score recompute
- 2026-06-27 16:10 UTCEG score recompute
- 2026-06-27 04:36 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 17:01 UTCEG score recompute
- 2026-06-26 05:27 UTCEG score recompute
- 2026-06-25 17:51 UTCEG score recompute
- 2026-06-25 17:48 UTCNVD updatefirst tracked
Related CVEs(same CWE)
Same CWE
10 shownCWE-918
Frequently asked(5)
What is CVE-2026-55412?
When was CVE-2026-55412 disclosed?
Is CVE-2026-55412 actively exploited?
What is the CVSS score of CVE-2026-55412?
How do I remediate CVE-2026-55412?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-55412
Is Your Infrastructure Affected by CVE-2026-55412?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.