{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24902", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T19:35:20.530Z", "datePublished": "2026-01-29T21:21:38.878Z", "dateUpdated": "2026-01-29T21:33:10.256Z"}, "containers": {"cna": {"title": "TrustTunnel has SSRF and private network restriction bypass via numeric address destinations", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76"}, {"name": "https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0", "tags": ["x_refsource_MISC"], "url": "https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0"}], "affected": [{"vendor": "TrustTunnel", "product": "TrustTunnel", "versions": [{"version": "< 0.9.114", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:21:38.878Z"}, "descriptions": [{"lang": "en", "value": "TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114."}], "source": {"advisory": "GHSA-hgr9-frvw-5r76", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T21:32:58.537538Z", "id": "CVE-2026-24902", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T21:33:10.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24902", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T21:32:58.537538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T21:33:05.970Z"}}], "cna": {"title": "TrustTunnel has SSRF and private network restriction bypass via numeric address destinations", "source": {"advisory": "GHSA-hgr9-frvw-5r76", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "TrustTunnel", "product": "TrustTunnel", "versions": [{"status": "affected", "version": "< 0.9.114"}]}], "references": [{"url": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76", "name": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0", "name": "https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:21:38.878Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24902", "state": "PUBLISHED", "dateUpdated": "2026-01-29T21:33:10.256Z", "dateReserved": "2026-01-27T19:35:20.530Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-29T21:21:38.878Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adguard:trusttunnel:*:*:*:*:*:*:*:*", "matchCriteriaId": "643A4E8A-36C5-4726-83D6-983E7AF83AFF", "versionEndExcluding": "0.9.114", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114."}], "id": "CVE-2026-24902", "lastModified": "2026-02-20T20:57:04.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-29T22:15:54.893", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:20:27.643711+00:00", "value": {"mitigation_remediation": ["Upgrade TrustTunnel to version 0.9.114 or newer to incorporate the SSRF fix.", "Restart all TrustTunnel services so the updated code and configuration are active.", "Apply network segmentation or firewall rules on the TrustTunnel host to block outbound connections to private IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8) as an additional defense.", "Monitor TrustTunnel logs for unexpected connections to internal IP ranges and investigate promptly."], "summary": {"action": "Apply Patch", "impact": "Server\u2011side Request Forgery with private network access"}, "threat_synthesis": {"affected_systems": "All installations of TrustTunnel by AdGuard running a version earlier than 0.9.114 are affected. The affected product is the TrustTunnel VPN server, which can be hosted on any platform where TrustTunnel is deployed.", "description_and_impact": "TrustTunnel is an open\u2011source VPN protocol that allows a server\u2011side request forgery when a numeric IP is supplied. The SSRF protection is only applied to hostname destinations; numeric IP destinations bypass the check for private or loopback addresses, which lets an attacker reach internal services even when the server is configured to deny private network connections. This flaw is a CWE\u2011918 vulnerability with a CVSS score of 7.1, indicating that an attacker could achieve confidentiality or integrity violations on the vulnerable host or on internal network assets.", "risk_and_exploitability": "The CVSS base score of 7.1 denotes a high severity issue, while the EPSS score of less than 1\u202f% indicates a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog, and no known public exploitation has been reported. The likely attack vector involves an attacker crafting a connection request to the TrustTunnel server that includes a numeric IP destination; because the SSRF validation is omitted for such destinations, the server will connect to the supplied private or loopback address, potentially exposing internal services or facilitating lateral movement. Given the default configuration of allow_private_network_connections\u202f=\u202ffalse, any client with access to the server\u2019s forwarding interface can exploit this weakness."}}}}, "created": "2026-01-30T08:42:24.712985+00:00", "updated": "2026-04-18T01:30:16.035426+00:00", "vendors": ["trusttunnel", "trusttunnel$PRODUCT$trusttunnel"]}