CVE-2026-55454

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*

History

26 Jun 2026, 19:50

Type Values Removed Values Added
References () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc - () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc - Exploit, Third Party Advisory
First Time Appsmith
Appsmith appsmith
CPE cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*

25 Jun 2026, 16:16

Type Values Removed Values Added
References () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc - () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc -

24 Jun 2026, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 22:16

Updated : 2026-06-26 19:50


NVD link : CVE-2026-55454

Mitre link : CVE-2026-55454

CVE.ORG link : CVE-2026-55454


JSON object : View

Products Affected

appsmith

  • appsmith
CWE
CWE-749

Exposed Dangerous Method or Function

CWE-1188

Insecure Default Initialization of Resource