Skip to main content

Changelog

Updates, changes, and improvements at Retool.

July 2nd, 2025 Cloud vulnerability disclosure

Retool Cloud was vulnerable to an unauthenticated account takeover via the "Passwordless Login" feature. This could have been used to take over Retool user accounts in organizations using this feature. We successfully patched our cloud deployment for all customers on June 17th, 2025, at 2:26 PM PDT with no further action being required by customers. All potentially affected customers have been notified as of July 2nd, 2025.

There are no indications of this vulnerability being publicly known nor any attempts to exploit it before being patched. Thanks to Rens van der Linden from QUAYOUNG for responsibly and privately disclosing the vulnerability to us.

We will communicate further updates here, should such become necessary.

Overview

  • Who is affected?: Cloud customers whose users successfully used passwordless login without MFA enabled.
  • What are the mitigations?: No action required from you; we have deployed a fix to our cloud environment already. For an added layer of security, consider also enforcing MFA in your Retool organization.
  • What is the impact?: Potential account takeover in your Retool organization by unauthenticated outside users.
  • What are indicators of compromise?: Suspicious login events in audit logs, email notifications about suspicious logins from new IP addresses, unexpected magic login link emails.

Was my organization affected?

Organizations with passwordless login enabled and MFA enforcement disabled, or with individual accounts that did not have MFA activated, were vulnerable. Enforcing MFA on the organization level prevented this vulnerability from being exploitable, as did enabling MFA for individual accounts.

We were able to narrow down further which customers this was possible for and notified all customers that were potentially affected. Specifically, organizations with at least one user who successfully logged in using the passwordless login feature, and whose account at the time of such login did not have MFA enabled.

We have no indications of this vulnerability being known publicly before we fixed it, nor any attacks or attempted attacks using the vulnerability.

What steps has Retool taken to address the vulnerability?

A patch has already been deployed to Retool's Cloud environment. No action is required from you at this time, but we recommend enforcing MFA in your Retool organization for an extra layer of security.

What is the impact?

Prior to our fix, this vulnerability enabled unauthenticated users to take over accounts in your organization through the passwordless login feature.

What are indicators of compromise (IOCs)?

Retool audit logs will contain events for successful passwordless logins, which will always be emitted for any successful attack with this vulnerability. An unexpected successful passwordless login event after April 22, 2024 can indicate a compromise.

Additionally, malicious logins may be identified by correlating email notifications for logins from new IP addresses. Attempted attacks would be indicated by unexpected passwordless login request emails from Retool. Matching the timing of the emails to login event timestamps in Retool Cloud and checking with your users who received the email can be used to determine if the login is unexpected. Utilizing your email provider's search or vault functionality to bulk search for these IOCs is advised.