Impact
Appsmith is a platform that enables building admin panels, internal tools, and dashboards. In versions before 2.1, the bundled supervisord component exposes an XML‑RPC interface on port 9001 that is reachable from outside the container thanks to a publicly routed path, /supervisor/*, in the Caddy reverse‑proxy. The supervisory password (APPSMITH_SUPERVISOR_PASSWORD) is unintentionally exposed through the public API GET /api/v1/admin/env, so any authenticated administrator can acquire the credential. With that credential an attacker may craft arbitrary XML‑RPC calls to supervisord, such as invoking twiddler.addProgramToGroup, allowing execution of arbitrary OS commands inside the Docker container. As a result, an authenticated administrator’s privileges are effectively turned into a container‑level privilege escalation, and the flaw is categorized as CWE‑183 and CWE‑918.
Affected Systems
The flaw affects installations of Appsmith prior to version 2.1. The vendor Appsmith Org’s product is affected; any deployment that has not applied the 2.1 release inherits the exposed supervisord interface and the publicly viewable supervisory password.
Risk and Exploitability
With a CVSS score of 8.9, the vulnerability carries high impact. Exploitation requires a valid administrator account and internet access to the /supervisor route; once achieved, an attacker can execute shell commands in the container. No publicly available exploit code is known and the entry is not listed in CISA KEV, but the lack of a publicly disclosed countermeasure and the requirement for authentication make the risk significant for exposed deployments. The EPSS metric is not available, leaving the likelihood of exploitation uncertain but warranting proactive remediation.
OpenCVE Enrichment