Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.
Published: 2026-06-24
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a server‑side request forgery that allows an attacker to supply arbitrary SMTP host and port values to the administrative /api/v1/admin/send-test-email API endpoint. Because the endpoint opens a direct JavaMail TCP connection without validating the target IP, it bypasses any IP‑based request filtering that normally applies to outbound HTTP requests. The raw exception message returned by the JavaMail library is sent back in the API error response, providing the attacker with service banner information and enabling further internal port scanning or enumeration. This vulnerability is exemplified by the CWE‑918 and CWE‑209 classifications.

Affected Systems

All Appsmith installations running any version older than 1.99 expose the vulnerable endpoint. The issue is addressed in releases 1.99 and newer, which remove the endpoint and add proper IP‑validation for outbound connections.

Risk and Exploitability

With a CVSS score of 5.1 the vulnerability is classified as moderate. No publicly available exploits are known, and the EPSS score is not reported, suggesting that exploitation is unlikely without privileged access. The flaw is listed in the CISA KEV catalog as not present, indicating limited industry exploitation. Attackers would need authenticated or privileged access to the administrative API to abuse the flaw, which reduces the risk in typical deployment scenarios.

Generated by OpenCVE AI on June 25, 2026 at 01:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Appsmith to version 1.99 or later, where the vulnerable endpoint has been removed and IP filtering enforced.
  • Limit network exposure of the /api/v1/admin/send-test-email endpoint by enforcing firewall rules or IP whitelisting so that only trusted administrative hosts can reach it.
  • If an upgrade cannot be performed immediately, suppress verbose error messages from the API to prevent enumeration of internal services.

Generated by OpenCVE AI on June 25, 2026 at 01:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.
Title Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP Filter
Weaknesses CWE-209
CWE-918
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:38:50.890Z

Reserved: 2026-06-02T18:30:51.282Z

Link: CVE-2026-49979

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T01:15:15Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information

  • CWE-918

    Server-Side Request Forgery (SSRF)