CVE-2026-24042

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

CVSS v3 9.4 CRITICAL

9.4^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*

History

17 Feb 2026, 17:50

Type	Values Removed	Values Added
CPE		cpe:2.3:a:appsmith:appsmith::::::::
First Time		Appsmith Appsmith appsmith
References	~~() https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883 -~~	() https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883 - Third Party Advisory

22 Jan 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 04:16

Updated : 2026-02-17 17:50

NVD link : CVE-2026-24042

Mitre link : CVE-2026-24042

CVE.ORG link : CVE-2026-24042

JSON object : View

Products Affected

appsmith

appsmith

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-24042", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-01-22T04:16:00.187", "references": [{"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit\u2011mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication."}], "lastModified": "2026-02-17T17:50:44.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0D385D9-E0EC-4CED-AB28-87B2CD03C5E8", "versionEndIncluding": "1.94"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}