Trust Center
Retool integrates with most major data sources that you'd need to build your internal tools, from databases like PostgreSQL and MySQL, to internal REST APIs and GraphQL, as well as external APIs like Stripe, Firebase, and Github. Security is top of mind for us as we aim to serve developer needs in both SMB and Enterprise settings.
Wiz
Stripe
OpenAI
Ramp
Amazon
PinterestDocuments
Infrastructure
Infrastructure
We take great care to work with best-in-class infrastructure providers that provide secure computing and storage. We are happy to provide more details about our infrastructure upon request.
Endpoint Security
Endpoint Security
We follow industry best practices for endpoint security. We are happy to provide more details about our endpoint security practices upon request.
Network Security
Network Security
We protect our corporate network against external & internal threats.
SOC2 Type II
Retool retains A-Lign for our SOC2 Type II annual report. We expect to receive the report by end of December now. Please grab our SOC2 bridge letter directly in the trust center in the meantime.
Annual Pentest
Retool is still undergoing our annual penetration test. We expect a finalized report by end of December.
Vulnerabilities
CVE-2025-29774 and CVE-2025-29775 (SAMLStorm)
A vulnerability in an open-source library, xml-crypto, which Retool uses for SAML login implementation, allowed for account takeovers through forged SAML identity provider (IdP) assertions. In the worst case, an external threat actor could forge arbitrary assertions for a SAML IdP, potentially leading to full account takeovers within an organization.
This exploit requires no user interaction and an attacker could gain unauthorized access to an organization with escalated privileges. More information about these vulnerabilities is available on the WorkOS website.
| Field | Value |
|---|---|
| Vulnerability Type | Improper Verification of Cryptographic Signature |
| Package | xml-crypto |
| Affected Component | Retool organizations using SAML SSO |
| Attack Type | Remote |
| Impact | Account Takeover |
| Reference | https://workos.com/blog/samlstorm |
| Discoverer | Alexander Tan (ahacker1) |
Fixed release versions
| Branch | Versions |
|---|---|
| Edge | 3.170.0-edge |
| Stable | 3.148.3-stable |
| Stable | 3.114.16-stable |
Affected release versions
| Release branch | Release versions |
|---|---|
| Edge | 3.149.0 to 3.168.0 |
| 3.148-stable | 3.148.0 to 3.148.2 |
| Edge | 3.111.0 to 3.144.0 |
| 3.114-stable | 3.114.0 to 3.114.15 |
| < 3.111.0 |
CVE-2025-47424
Self-hosted deployments of Retool missing the BASE_DOMAIN environment variable may in some cases be vulnerable to host header injections. All vulnerable versions can be remediated immediately by properly setting the BASE_DOMAIN environment variable to the full URL of the deployment, such as https://retool.example.com. Beginning with 3.196.0, this environment variable will be required for an instance on boot.
| Disclosure | Details |
|---|---|
| Vulnerability Type | CWE-1289: Improper Validation of Unsafe Equivalence in Input. |
| Vendor of Product | Retool. |
| Affected Product Code Base | View affected release versions below in table. |
| Affected Component | Self-hosted Retool organizations. |
| Attack Type | Remote. |
| Impact | Escalation of Privileges. |
| CVSS 3.x Base Score | 7.1 |
| CVSS 3.x Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C |
| CVSS 4.x Base Score | 5.3 |
| CVSS 4.x Vector | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/R:U |
| Reference | https://docs.retool.com/releases |
| Discoverer | Robinhood Red Team and Doyensec |
| Fixed Version | 3.196.0+ |
Is my version of Retool affected?
All current Retool on-prem instances that have not yet disabled password based authentication may be vulnerable (this is easily checked by verifying that there is no form to login with a password when opening up Retool.) If password auth has not been disabled, your Retool instance is potentially vulnerable if all of the following apply to you:
- You do not have the BASE_DOMAIN environment variable set.
- Your Retool instance is reachable without any request filtering based on the Host header. This is likely the case if you’re not using a reverse proxy or that reverse proxy forwards requests for all domains.
- A user in your instance solely relies on password based authentication. This is the case when all of the following apply
- You have the Disable Login with Email and Password setting disabled
- You have not enforced Two Factor Authentication
- A user in your instance does not have a second factor authentication configured.
Affected release versions
| Release | Release versions |
|---|---|
| 3.18 | 3.18.1 to 3.18.23 |
| 3.20 | 3.20.1 to 3.20.18 |
| 3.22 | 3.22.1 to 3.22.21 |
| 3.24 | 3.24.1 to 3.24.22 |
| 3.26 | 3.26.4 to 3.26.14 |
| 3.28 | 3.28.3 to 3.28.15 |
| 3.30 | 3.30.1 to 3.30.15 |
| 3.32 | 3.32.1 to 3.32.12 |
| 3.33 | 3.33.1-stable to 3.33.37-stable |
| 3.52 | 3.52.1-stable to 3.52.28-stable |
| 3.75 | 3.75.1-stable to 3.75.25-stable |
| 3.114 | 3.114.1-stable to 3.114.22-stable |
| 3.148 | 3.148.1-stable to 3.148.22-stable |
Notification Update: 2025-05-09
An email to customers sent on 2025-05-09 incorrectly described which Retool instances are affected.