CVE-2026-22794 - Vulnerability Details

- Account Takeover Vulnerability in Appsmith

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.

Published: 2026-01-12

Score: 9.7 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Appsmith v1.93 and later introduced proper validation when constructing email reset and verification links. Prior to that, the platform accepted the Origin header from incoming HTTP requests and used it as the base URL for authentication emails. An attacker who can set a malicious Origin header in a request can cause the system to generate password reset or verification links that point to a domain under the attacker’s control. When a user clicks such a link, the attacker receives sensitive authentication tokens embedded in the link, allowing the attacker to hijack the account. This flaw directly impacts authentication and confidentiality of user accounts, classified as CWE‑346.

Affected Systems

Appsmith (appsmithorg:appsmith) is affected for all releases before version 1.93. The vulnerability exists in the server component that sends email links; any deployment of Appsmith before the 1.93 patch is vulnerable.

Risk and Exploitability

The CVSS score of 9.7 denotes a critical severity. EPSS is reported as < 1 %, indicating a low probability of current exploitation under normal circumstances, and the vulnerability is not listed in the CISA KEV catalog. The exploitation route requires an attacker to control an HTTP request to the server to provide a forged Origin header, which is feasible for remote adversaries with internet access to the Appsmith instance. Once the link is delivered via email, the attacker can immediately compromise the affected account.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

appsmithorg

appsmith

affected

Version	Status	Constraints
`< 1.93`	affected	—

Configuration 1 [-]

cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Appsmith	Appsmith	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Appsmith version 1.93 or later to apply the removal of unvalidated Origin usage.
Verify that the email link base URL in the application configuration is set to a trusted domain and that the Origin header is ignored for link generation.
If an upgrade cannot be performed immediately, block or validate the Origin header on the app server, or disable password reset and verification flows until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv

History

Wed, 21 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:appsmith:appsmith::::::::

Tue, 13 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Appsmith Appsmith appsmith
Vendors & Products		Appsmith Appsmith appsmith

Mon, 12 Jan 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.
Title		Account Takeover Vulnerability in Appsmith
Weaknesses		CWE-346
References		https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633 https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv
Metrics		cvssV3_1 `{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Appsmith Appsmith

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-12T21:54:52.803Z

Updated: 2026-01-13T19:08:29.794Z

Reserved: 2026-01-09T18:27:19.389Z

Link: CVE-2026-22794

Vulnrichment

Updated: 2026-01-13T14:14:38.909Z

NVD

Status : Analyzed

Published: 2026-01-12T22:16:08.633

Modified: 2026-01-21T19:14:17.880

Link: CVE-2026-22794

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses

CWE-346

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object