Home > Vulnerability Database > CVE-2026-24902

Mend.io Vulnerability Database

CVE-2026-24902

Good to know:

Date: January 29, 2026

TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In "tcp_forwarder.rs", SSRF protection for "allow_private_network_connections = false" was only applied in the "TcpDestination::HostName(peer)" path. The "TcpDestination::Address(peer) => peer" path proceeded to "TcpStream::connect()" without equivalent checks (for example "is_global_ip", "is_loopback"), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.

Severity Score

7.1

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24902

Url: https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0

Url: https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76

Url: https://www.mend.io/vulnerability-database/CVE-2026-24902

Severity Score

7.1

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version https://github.com/TrustTunnel/TrustTunnel.git - v0.9.115

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24902

Good to know:

Date: January 29, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?