An unauthenticated blind SSRF (Server Side Request Forgery) vulnerability was identified and disclosed by a Tenable Security researcher. The vulnerability is due to not requiring LTI tools to sign requests to the server, allowing crafted API calls from end users to query arbitrary hosts. Host responses are not returned to the client.
Canvas code changes were committed 8/5/2020 to master. This fix is a breaking change set. Canvas is following the regular release process to allow LTI tool owners time to make necessary changes.