Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Appsmith versions prior to server‑side request REST API and GraphQL datasource plugins. The HTTP outbound host filter relies on an exact‑match denylist and does not perform a comprehensive address‑class check for local or reserved IP ranges. Consequently, an authenticated user can craft requests that target loopback, any‑local, link‑local, or fc00::/7 addresses, allowing the application to communicate with services running inside the container. The weakness is identified as CWE‑918.

Affected Systems

The vulnerability affects installations of Appsmith provided by appsmithorg. All releases before version 2.1 are susceptible; versions 2.1 and later include the fix.

Risk and Exploitability

The CVSS. The EPSS score is not available, so the exploitation probability is unknown at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker who has authenticated access can exploit this flaw to reach internal services within the container, potentially exposing sensitive data or enabling further lateral movement. The attack vector requires valid credentials but can be carried out from any network that can reach the Appsmith instance.

Generated by OpenCVE AI on June 25, 2026 at 00:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Appsmith to version 2.1 or later.
  • If an upgrade is not immediately feasible, block outbound HTTP requests from the application to internal network ranges such as 127.0.0.1, 0.0.0.0, ::1, and link‑local addresses using firewall rules or a reverse proxy.
  • Restrict privileged access by applying the principle of least privilege so that only trusted users can configure datasource plugins.

Generated by OpenCVE AI on June 25, 2026 at 00:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
Title Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:36:21.863Z

Reserved: 2026-06-16T22:10:37.607Z

Link: CVE-2026-55455

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:15:02Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)