Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.
References
| Link | Resource |
|---|---|
| https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc | Exploit Third Party Advisory |
| https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc | Exploit Third Party Advisory |
Configurations
History
26 Jun 2026, 19:50
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc - Exploit, Third Party Advisory | |
| First Time |
Appsmith
Appsmith appsmith |
|
| CPE | cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:* |
25 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc - |
24 Jun 2026, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 22:16
Updated : 2026-06-26 19:50
NVD link : CVE-2026-55454
Mitre link : CVE-2026-55454
CVE.ORG link : CVE-2026-55454
JSON object : View
Products Affected
appsmith
- appsmith
