Description
TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.
Published: 2026-01-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side Request Forgery with private network access
Action: Apply Patch
AI Analysis

Impact

TrustTunnel is an open‑source VPN protocol that allows a server‑side request forgery when a numeric IP is supplied. The SSRF protection is only applied to hostname destinations; numeric IP destinations bypass the check for private or loopback addresses, which lets an attacker reach internal services even when the server is configured to deny private network connections. This flaw is a CWE‑918 vulnerability with a CVSS score of 7.1, indicating that an attacker could achieve confidentiality or integrity violations on the vulnerable host or on internal network assets.

Affected Systems

All installations of TrustTunnel by AdGuard running a version earlier than 0.9.114 are affected. The affected product is the TrustTunnel VPN server, which can be hosted on any platform where TrustTunnel is deployed.

Risk and Exploitability

The CVSS base score of 7.1 denotes a high severity issue, while the EPSS score of less than 1 % indicates a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog, and no known public exploitation has been reported. The likely attack vector involves an attacker crafting a connection request to the TrustTunnel server that includes a numeric IP destination; because the SSRF validation is omitted for such destinations, the server will connect to the supplied private or loopback address, potentially exposing internal services or facilitating lateral movement. Given the default configuration of allow_private_network_connections = false, any client with access to the server’s forwarding interface can exploit this weakness.

Generated by OpenCVE AI on April 18, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TrustTunnel to version 0.9.114 or newer to incorporate the SSRF fix.
  • Restart all TrustTunnel services so the updated code and configuration are active.
  • Apply network segmentation or firewall rules on the TrustTunnel host to block outbound connections to private IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8) as an additional defense.
  • Monitor TrustTunnel logs for unexpected connections to internal IP ranges and investigate promptly.

Generated by OpenCVE AI on April 18, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Adguard
Adguard trusttunnel
CPEs cpe:2.3:a:adguard:trusttunnel:*:*:*:*:*:*:*:*
Vendors & Products Adguard
Adguard trusttunnel

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Trusttunnel
Trusttunnel trusttunnel
Vendors & Products Trusttunnel
Trusttunnel trusttunnel

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.
Title TrustTunnel has SSRF and private network restriction bypass via numeric address destinations
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Adguard Trusttunnel
Trusttunnel Trusttunnel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T21:33:10.256Z

Reserved: 2026-01-27T19:35:20.530Z

Link: CVE-2026-24902

cve-icon Vulnrichment

Updated: 2026-01-29T21:33:05.970Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T22:15:54.893

Modified: 2026-02-20T20:57:04.633

Link: CVE-2026-24902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses