What happened
ToolJet prior to 3.20.178-lts allows any authenticated user with a builder role to overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes server-side. Because marketplace plugins are shared across the platform, a single low-privileged builder can compromise all users and all connected data sources, AI workflows, and agent integrations system-wide.
Why it matters
ToolJet is an AI-native platform for building agentic workflows and internal tools. Server-side JavaScript execution via a marketplace plugin gives an attacker full backend access, including all database credentials, API keys for AI services, and the ability to manipulate or exfiltrate every agent workflow and connected data source on the instance.
Attack vector
An authenticated user with a builder role (available on the free tier) can send a crafted API request to overwrite a globally-shared marketplace plugin with arbitrary JavaScript. The malicious JavaScript executes server-side with ToolJet's backend privileges, enabling full server compromise and lateral movement to all connected data sources and AI agent configurations.
Affected systems
ToolJet < 3.20.178-lts
Mitigation
Upgrade to ToolJet 3.20.178-lts or later. Advisory: https://github.com/ToolJet/ToolJet/security/advisories/GHSA-jgmf-cw3v-r98x