What happened
ToolJet prior to 3.20.1780-lts exposes a POST /api/data-sources/decrypt endpoint that decrypts and returns stored credentials in plaintext to any authenticated caller, without verifying that the caller has permission to access the referenced credential_id. An attacker with any ToolJet account can enumerate and extract all stored API keys, database passwords, and service credentials used across all AI agent data sources.
Why it matters
ToolJet stores credentials for all data sources connected to AI agent workflows — databases, APIs, cloud services, AI provider keys. Unrestricted plaintext credential decryption effectively gives any authenticated user a master key dump of the entire platform's secret store, enabling full compromise of all downstream AI infrastructure and data sources.
Attack vector
Any authenticated user can call the POST /api/data-sources/decrypt endpoint with an arbitrary credential_id and receive the plaintext decrypted value of that credential. There is no authorization check confirming the caller owns or has access to the referenced credential. This allows systematic enumeration and extraction of all stored secrets.
Affected systems
ToolJet < 3.20.1780-lts
Mitigation
Upgrade to ToolJet 3.20.1780-lts. Advisory: https://github.com/ToolJet/ToolJet/security/advisories/GHSA-x7qj-hfg8-p4cw