CVE-2026-24042 - Vulnerability Details

- Appsmith public apps can execute unpublished actions (viewMode confusion)

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

Published: 2026-01-22

Score: 9.4 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Appsmith versions 1.94 and older allow any user with internet access to trigger edit‑mode, unpublished actions by making a POST request to /api/v1/actions/execute with viewMode=false (or omitting the flag). This bypasses the supposed boundary that public viewers should only run published actions, enabling the attacker to read sensitive data, run edit‑mode queries or APIs, and trigger side‑effect behaviors. The vulnerability is a classic example of missing access control for authorized actions.

Affected Systems

The affected vendor is Appsmith, specifically the appsmith org product. All releases at or below version 1.94 are impacted. No higher versions were listed in the advisory; newer releases have presumably removed the flaw.

Risk and Exploitability

The CVSS base score of 9.4 indicates critical severity, while the EPSS score is below 1%—the exploit probability is low but non‑zero. The vulnerability is not listed in the CISA KEV catalog, but since it is reachable by unauthenticated users on any public Appsmith app, the practical risk is high. Attackers need only identify a public app and send a crafted request; no special credentials or prior knowledge are required. The lack of an available patch at the time of the advisory further compounds the risk, making mitigation actions essential.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

appsmithorg

appsmith

affected

Version	Status	Constraints
`<= 1.94`	affected	—

Configuration 1 [-]

cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Appsmith	Appsmith	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Appsmith to a version newer than 1.94 or the latest available release.
Restrict or disable public access to apps that contain edit‑mode actions, ensuring only properly published actions are exposed.
Monitor traffic for POST requests to /api/v1/actions/execute with viewMode=false and block or quarantine any suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883

History

Tue, 17 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:appsmith:appsmith::::::::

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Appsmith Appsmith appsmith
Vendors & Products		Appsmith Appsmith appsmith

Thu, 22 Jan 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 22 Jan 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.
Title		Appsmith public apps can execute unpublished actions (viewMode confusion)
Weaknesses		CWE-862
References		https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883
Metrics		cvssV3_1 `{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Appsmith Appsmith

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-22T03:52:54.463Z

Updated: 2026-01-22T12:28:28.202Z

Reserved: 2026-01-20T22:30:11.777Z

Link: CVE-2026-24042

Vulnrichment

Updated: 2026-01-22T12:28:19.380Z

NVD

Status : Analyzed

Published: 2026-01-22T04:16:00.187

Modified: 2026-02-17T17:50:44.837

Link: CVE-2026-24042

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object