CVE-2026-24902
Published: 29 January 2026
Summary
CVE-2026-24902 is a high-severity SSRF (CWE-918) vulnerability in Adguard Trusttunnel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass in public-facing VPN tcp_forwarder directly enables T1190 (exploiting the exposed service for unauthorized internal access) and T1046 (abusing the connect primitive to probe/discover private/loopback services).
NVD Description
TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) =>…
more
peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.
Deeper analysisAI
CVE-2026-24902 is a server-side request forgery (SSRF) and private network restriction bypass vulnerability (CWE-918) in the open-source TrustTunnel VPN protocol, affecting versions prior to 0.9.114. The flaw exists in the `tcp_forwarder.rs` component, where SSRF protections for `allow_private_network_connections = false` were only applied to the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer)` path directly invoked `TcpStream::connect()` without equivalent checks like `is_global_ip` or `is_loopback`, enabling connections to loopback or private IP targets when supplied as numeric IPs.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating exploitation over the network with low complexity, requiring low privileges but no user interaction. A low-privileged remote attacker can bypass private network restrictions to connect to otherwise protected loopback or private destinations, resulting in low confidentiality impact, high integrity impact through unauthorized access, and no availability impact.
TrustTunnel fixed the issue in version 0.9.114. Mitigation details are available in the GitHub security advisory at https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76 and the patching commit at https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0.
Details
- CWE(s)