Platform
rust
Component
trusttunnel
Opgelost in
0.9.115
CVE-2026-24902 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in TrustTunnel, an open-source VPN protocol. This flaw allows attackers to bypass private network restrictions, potentially leading to unauthorized access to internal services. The vulnerability impacts versions of TrustTunnel prior to 0.9.114, and a fix is available in version 0.9.114.
The SSRF vulnerability in TrustTunnel allows an attacker to craft malicious requests that appear to originate from the TrustTunnel server itself. Because the private network restriction check (allowprivatenetwork_connections = false) was incompletely implemented, attackers can bypass this restriction by supplying numeric IP addresses instead of hostnames. This enables them to connect to internal services that should be inaccessible from the outside, such as databases, internal APIs, or other sensitive resources. The potential impact includes data exfiltration, privilege escalation, and complete compromise of the internal network if the attacker can exploit the vulnerability to gain access to critical systems.
This vulnerability was publicly disclosed on 2026-01-29. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it relatively straightforward to exploit. Its inclusion in the TrustTunnel protocol, a VPN solution, raises concerns about potential widespread impact. The vulnerability is not currently listed on CISA KEV as of this writing.
Organizations using TrustTunnel as their VPN solution, particularly those with sensitive internal resources accessible via the VPN, are at risk. Environments with legacy TrustTunnel deployments or those that have not implemented robust network segmentation are especially vulnerable.
• rust / server:
# Check for TrustTunnel version
rustc --version• rust / server:
# Inspect tcp_forwarder.rs for incomplete SSRF protection
grep -r 'TcpDestination::Address(peer) => peer' ./src/tcp_forwarder.rs• generic web:
# Check for outbound connections to internal IPs via curl
curl -v <TrustTunnel_Endpoint> | grep -i '127.0.0.1' disclosure
Exploit Status
EPSS
0.03% (10% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-24902 is to upgrade TrustTunnel to version 0.9.114 or later, which includes the corrected SSRF protection. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with strict outbound filtering rules to block requests to internal IP addresses. Carefully review TrustTunnel's configuration to ensure that allowprivatenetwork_connections is properly configured and enforced. After upgrading, verify the fix by attempting to connect to a known internal IP address; the connection should be rejected.
Werk TrustTunnel bij naar versie 0.9.114 of hoger. Deze versie corrigeert de SSRF-kwetsbaarheid en de bypass van private netwerkrestricties. De update kan worden uitgevoerd via de Rust package manager, Cargo.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-24902 is a HIGH severity SSRF vulnerability affecting TrustTunnel versions prior to 0.9.114, allowing attackers to bypass private network restrictions and potentially access internal resources.
You are affected if you are using TrustTunnel versions less than or equal to 0.9.114. Upgrade to 0.9.114 to mitigate the risk.
Upgrade TrustTunnel to version 0.9.114 or later. As a temporary workaround, implement a WAF or proxy with outbound filtering rules to block requests to internal IP addresses.
While no active exploitation has been confirmed, the vulnerability's nature makes it easily exploitable, so proactive mitigation is recommended.
Refer to the TrustTunnel project's official repository and release notes for the advisory and detailed information regarding the fix.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Cargo.lock-bestand en we vertellen je direct of je getroffen bent.