Skip to main content

Appsmith CVE-2026-55455

| EUVDEUVD-2026-39111 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-24 GitHub_M
5.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.4 MEDIUM

Network-exploitable with authenticated low-privilege access; scope changes to internal container services justify S:C, with low C and I reflecting limited service probing impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 23:03 EUVD
Analysis Generated
Jun 24, 2026 - 22:27 vuln.today

DescriptionCVE.org

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.

AnalysisAI

Server-side request forgery in Appsmith prior to version 2.1 allows authenticated users to reach loopback-bound services inside the deployment container by exploiting a split code path in host validation logic. The WebClientUtils component used by REST API and GraphQL datasource plugins enforces only an exact-match string denylist, while the comprehensive address-class check covering loopback, any-local, link-local, and fc00::/7 IPv6 ranges exists solely on the SMTP plugin code path - leaving the HTTP path bypassable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Appsmith with low-privilege account
Delivery
Navigate to REST API or GraphQL datasource configuration
Exploit
Supply loopback URL variant bypassing exact-match denylist
Execution
Trigger outbound HTTP request via WebClientUtils
Persist
Receive response from internal loopback-bound container service
Impact
Probe or interact with internal services

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Appsmith session with at least low-privilege access to create or modify REST API or GraphQL datasource plugin configurations - the vulnerable code path is only reachable through these two plugin types. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N reflects the real-world constraint: exploitation requires a low-privilege authenticated session, which substantially limits the exposed attack surface compared to unauthenticated SSRF. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Appsmith user with datasource configuration permissions creates a new REST API datasource and sets the base URL to a loopback address variant not matched by the exact-match string denylist (e.g., an IPv6 representation of localhost or a non-standard encoding). The platform's WebClientUtils issues the outbound HTTP request without triggering the comprehensive address-class check, reaching an internal container service such as an unauthenticated admin API or metadata endpoint. …
Remediation Upgrade Appsmith to version 2.1 or later, which introduces the comprehensive address-class validation (loopback, any-local, link-local, fc00::/7) on the HTTP plugin code path in WebClientUtils, closing the denylist bypass. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2026-22794 CRITICAL POC
9.6 Jan 12

Appsmith before 1.93 allows attackers to control the Origin header value used as the base URL in password reset and emai

CVE-2022-39824 HIGH POC
8.9 Sep 05

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code

CVE-2024-51408 MEDIUM POC
6.5 Nov 04

AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to

CVE-2022-4096 MEDIUM POC
6.5 Nov 21

Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2. Rated medium severity (CVSS

CVE-2026-7299 MEDIUM POC
6.3 Jun 02

Stored XSS in Appsmith's SQL query editor autocomplete allows an authenticated Developer-role user to inject persistent

CVE-2026-55454 CRITICAL
9.9 Jun 24

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side req

CVE-2026-24042 CRITICAL
9.4 Jan 22

Appsmith platform version 1.94 and below has a missing authorization vulnerability that allows unauthenticated access to

CVE-2026-30862 CRITICAL
9.0 Mar 10

Appsmith platform prior to version 1.96 has a critical stored XSS enabling account takeover through crafted admin panel

CVE-2026-50189 HIGH
8.9 Jun 24

Authenticated command execution in Appsmith versions prior to 2.1 lets any administrator run arbitrary OS commands insid

CVE-2022-38298 HIGH
8.8 Sep 12

Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via re

CVE-2026-34411 MEDIUM
6.9 Mar 27

Appsmith versions prior to 1.98 allow unauthenticated remote attackers to access sensitive instance management API endpo

Share

CVE-2026-55455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy