CVE-2026-24902
Published: 29 January 2026
Summary
CVE-2026-24902 is a high-severity SSRF (CWE-918) vulnerability in Adguard Trusttunnel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-24902 is a server-side request forgery (SSRF) and private network restriction bypass vulnerability (CWE-918) in the open-source TrustTunnel VPN protocol, affecting versions prior to 0.9.114. The flaw exists in the `tcp_forwarder.rs` component, where SSRF protections for `allow_private_network_connections = false` were only applied to the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer)` path directly invoked `TcpStream::connect()` without equivalent checks like `is_global_ip` or `is_loopback`, enabling connections to loopback or private IP targets when supplied as numeric IPs.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating exploitation over the network with low complexity, requiring low privileges but no user interaction. A low-privileged remote attacker can bypass private network restrictions to connect to otherwise protected loopback or private destinations, resulting in low confidentiality impact, high integrity impact through unauthorized access, and no availability impact.
TrustTunnel fixed the issue in version 0.9.114. Mitigation details are available in the GitHub security advisory at https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76 and the patching commit at https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4951
Vulnerability details
TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) =>…
more
peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass in public-facing VPN tcp_forwarder directly enables T1190 (exploiting the exposed service for unauthorized internal access) and T1046 (abusing the connect primitive to probe/discover private/loopback services).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow rules that block unauthorized connections from the TcpDestination::Address path to loopback/private IPs when allow_private_network_connections=false.
Directly enforces the access control policy that the missing is_global_ip/is_loopback checks were intended to implement for numeric IP destinations.
Boundary protection mechanisms at the VPN server would restrict the unauthorized outbound flows to internal addresses that the SSRF bypass enabled.