Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.
Published: 2026-06-24
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Appsmith is a platform that enables building admin panels, internal tools, and dashboards. In versions before 2.1, the bundled supervisord component exposes an XML‑RPC interface on port 9001 that is reachable from outside the container thanks to a publicly routed path, /supervisor/*, in the Caddy reverse‑proxy. The supervisory password (APPSMITH_SUPERVISOR_PASSWORD) is unintentionally exposed through the public API GET /api/v1/admin/env, so any authenticated administrator can acquire the credential. With that credential an attacker may craft arbitrary XML‑RPC calls to supervisord, such as invoking twiddler.addProgramToGroup, allowing execution of arbitrary OS commands inside the Docker container. As a result, an authenticated administrator’s privileges are effectively turned into a container‑level privilege escalation, and the flaw is categorized as CWE‑183 and CWE‑918.

Affected Systems

The flaw affects installations of Appsmith prior to version 2.1. The vendor Appsmith Org’s product is affected; any deployment that has not applied the 2.1 release inherits the exposed supervisord interface and the publicly viewable supervisory password.

Risk and Exploitability

With a CVSS score of 8.9, the vulnerability carries high impact. Exploitation requires a valid administrator account and internet access to the /supervisor route; once achieved, an attacker can execute shell commands in the container. No publicly available exploit code is known and the entry is not listed in CISA KEV, but the lack of a publicly disclosed countermeasure and the requirement for authentication make the risk significant for exposed deployments. The EPSS metric is not available, leaving the likelihood of exploitation uncertain but warranting proactive remediation.

Generated by OpenCVE AI on June 25, 2026 at 00:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Appsmith to version 2.1 or later to remove the exposed supervisord interface
  • Revoke or strongly protect the APPSMITH_SUPERVISOR_PASSWORD stored in the environment, ensuring it is not returned by any public API
  • Restrict or disable external access to the /supervisor route in the reverse‑proxy configuration or by disabling supervisord XML‑RPC if it is not required for your deployment

Generated by OpenCVE AI on June 25, 2026 at 00:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Appsmith
Appsmith appsmith
Vendors & Products Appsmith
Appsmith appsmith

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.
Title Appsmith: RCE via Supervisord XML-RPC Admin Interface Exposed via /supervisor Caddy Route
Weaknesses CWE-183
CWE-918
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Appsmith Appsmith
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:25:05.636Z

Reserved: 2026-06-03T22:05:13.645Z

Link: CVE-2026-50189

cve-icon Vulnrichment

Updated: 2026-06-25T15:12:34.377Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-183

    Permissive List of Allowed Inputs

  • CWE-918

    Server-Side Request Forgery (SSRF)