Which versions of Appsmith are affected by CVE-2026-34411?

CVE-2026-34411 presents notable security risk, a missing authentication vulnerability rated CVSS 6.9. This could allow unauthorized access to protected resources.. A patch is available.

Appsmith CVE-2026-34411

Q: What is the CVSS score of CVE-2026-34411?

CVE-2026-34411 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-16721 MEDIUM

Missing Authentication for Critical Function (CWE-306)

2026-03-27 VulnCheck

GHSA-hvm5-gpg2-9x56

Authentication Bypass Appsmith

6.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

6.9 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Mar 27, 2026 - 16:45 euvd

EUVD-2026-16721

Analysis Generated

Mar 27, 2026 - 16:45 vuln.today

Patch released

Mar 27, 2026 - 16:45 nvd

Patch available

CVE Published

Mar 27, 2026 - 16:24 nvd

MEDIUM 6.9

DescriptionCVE.org

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

AnalysisAI

Appsmith versions prior to 1.98 allow unauthenticated remote attackers to access sensitive instance management API endpoints (/api/v1/consolidated-api/view, /api/v1/tenants/current) without authentication, enabling disclosure of configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains. This authentication bypass facilitates reconnaissance for targeted follow-up attacks against Appsmith deployments and their administrators. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects low-complexity remote unauthenticated access with confidentiality impact but no integrity or availability impact, consistent with information disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker performs network scanning or passive reconnaissance to identify publicly exposed Appsmith instances. Upon discovery, the attacker makes unauthenticated HTTP requests to /api/v1/tenants/current and /api/v1/consolidated-api/view, receiving unprotected configuration and licensing metadata without providing credentials. …
Remediation	Upgrade Appsmith to version 1.98 or later to apply the vendor-released patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34411 vulnerability details – vuln.today

Back