We have identified a security vulnerability affecting Retool embedded pages. Sensitive API endpoints (/api/organization and /api/resources) lack proper access control, allowing any authenticated user to retrieve sensitive information.
Context:
We are planning to expose Retool screens to our end-users through embedded apps. This vulnerability is a critical blocker for that initiative, as it would allow any end-user—who has no privileges whatsoever outside the embedded application—to access highly sensitive internal data.
Steps to Reproduce:
Authenticate using an embed URL via the /api/embed-url/external-user endpoint.
Load this URL in an iframe.
Using browser dev tools, copy a cURL command from any Retool API request made within this iframe.
Execute the cURL command, replacing the target endpoint with /api/organization while keeping all authentication headers intact.
Observe that sensitive organization data is returned (e.g., all Retool user emails, license key, etc.).
Repeat step 4 targeting /api/resources instead.
Observe that database connection strings and credentials are exposed.
Impact:
Data exposed via /api/organization: Full list of Retool user emails, Retool license information.
Data exposed via /api/resources: Database connection URLs and username, API information.
Expected Behavior:
Access to /api/organization and /api/resources should be restricted based on the caller's identity and role. Embed tokens should not grant access to these administrative endpoints.
Thank you for bringing this to our attention. To help us investigate further, could you please confirm:
Are you experiencing this on Retool Cloud or Retool Self-hosted?
If self-hosted, which version are you running?
I've tested this on version 3.300.0-stable and while I can confirm that some organization and resource data is being returned, I haven't been able to reproduce:
All Retool user emails being exposed
The actual license key being returned
Resource secrets being exposed—these appear as "---encrypted-on-server---" when I query the /api/resources endpoint
Would you be able to share (privately) any screenshots demonstrating the exposure of resource secrets and email addresses? Please feel free to redact portions of the sensitive values.
That said, I can see both endpoints are returning significant metadata and agree these endpoints should have stricter access controls, and I'll escalate this to our engineering team.
We use the stable version 3.300.8 of Retool on-premise. The passwords are indeed "---encrypted-on-server---". The license key is not directly visible but there is a whole licenseVerification and licenseStatus block.
Thank you for coming back to me. I’m glad to hear the passwords are encrypted. As for the licensing blocks, this contains information like license status, feature entitlements, pricing structure (such as your account type and plan level) and some internal identifiers. I have included this as a concern when reaching out to our engineering team. I’ll be sure to keep you posted with any feedback on this!
found how to remove visibility on other user accounts. There was a checkbox "View users page with emails" in the "Additional" tab of permissions. It was checked for the "All Users" group. Hard to say whether it was a historical mistake or a default value.
Thanks again for reporting this, @Gloubiboulga. It definitely is a gap in access control that we want to address and the fix will be a fairly high priority. I'll follow up here when that work has been done.
