ToolJet, Uptime Kuma, Outline: the internal dashboards that quietly face the internet

Not every exposed panel is a database console or a deploy controller. A whole category sits one rung down: the internal dashboards a team self-hosts to run itself. A low-code tool builder that connects to your databases. A status monitor that watches your infrastructure. A team wiki where the runbooks and the "here's the staging password" notes live. None of them is "the database" or "the platform," so they get less attention, which is exactly why they end up quietly facing the internet and staying there.

The risk here is rarely the panel handing over your whole company in one click. It's that each one is a window into how you operate, and for ToolJet specifically, a window with a connection to your data behind it. Built for the team, reachable by everyone, and forgotten.

Three dashboards, three different windows

These are unalike in purpose but share the exposure: an internal operations surface reachable without auth.

• ToolJet - an open-source low-code platform for building internal tools. The point of ToolJet is that it connects to your data sources, databases, APIs, third-party services, so the apps built on it can read and write real data. An exposed ToolJet isn't just a dashboard; it's a builder sitting on top of live connections to your backend. That makes it the most consequential of the three.
• Uptime Kuma - a self-hosted uptime monitor. Its dashboard lists the things you watch: your services, their URLs, sometimes internal hostnames and ports, and the health of each. Exposed, it's a free inventory of your infrastructure and which parts are currently down (a useful thing for an attacker to know).
• Outline - a team wiki. The danger isn't the wiki software; it's what teams put in wikis: runbooks, architecture notes, onboarding docs, and, far too often, credentials and internal URLs pasted into a page "just for the team." An exposed Outline is a searchable knowledge base of how you work and what you know.

Each is gated on the product's own markup, the ToolJet dashboard markers, Uptime Kuma's title and injected config, Outline's team-data markers, so a hit confirms the real tool, not a lookalike.

Why "just an internal tool" still matters

The blast radius varies, and that's the honest framing. Uptime Kuma and Outline are rated medium because the immediate prize is information, not control: your infrastructure inventory, your runbooks, the internal hostnames and the occasional credential a teammate pasted into a doc. That's reconnaissance gold, it tells an attacker where to look next and sometimes hands them a working secret, but it's a step in a chain rather than the end of one. ToolJet sits higher in practice precisely because of its data connections: get past its login and you may be one query from the database it's wired to. In every case the exposure follows the same well-worn path, self-hosted "for the team," put on a public host for convenience, secured by a login nobody walled off.

Keep internal tools internal

The fix is the one that fits every operator-facing tool: don't let the public reach it. Behind that, ordinary login hygiene, and for the wiki, a habit change.

# tools.yoursite.com / status.yoursite.com / wiki.yoursite.com
# all answering the public internet

Put each tool behind your VPN or an IP allowlist so only the team can reach the login at all, and require SSO or two-factor behind that. For Outline and any wiki, fix the root cause: credentials belong in a secret manager, never pasted into a doc, because a wiki is built to be searchable and shared, which is the opposite of what a secret needs. And scope ToolJet's data-source credentials to least privilege so an exposed builder can't reach more than it must.

Reading it from outside

Whether these dashboards answer the public internet is something a stranger settles by loading the URL, and that's the check SurfaceCheckr runs, from outside, with no credentials. Each probe requires the tool's own content signatures, so it confirms the real ToolJet, Uptime Kuma, or Outline and doesn't fire on a generic dashboard. It reads only what the panel serves anonymously and stops; it never logs in or queries a connected data source. These are the quiet ones, easy to forget because they're "just internal," which is exactly why they're worth a look from the outside, where an attacker would find them first. The neighboring reads are the monitoring and infra panels and the internal hostnames and dev notes that leak the same kind of intel.