Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
References
| Link | Resource |
|---|---|
| https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p | Third Party Advisory |
| https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p | Third Party Advisory |
Configurations
History
26 Jun 2026, 19:50
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Appsmith
Appsmith appsmith |
|
| CPE | cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
| References | () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p - Third Party Advisory |
25 Jun 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p - |
24 Jun 2026, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 22:16
Updated : 2026-06-26 19:50
NVD link : CVE-2026-55455
Mitre link : CVE-2026-55455
CVE.ORG link : CVE-2026-55455
JSON object : View
Products Affected
appsmith
- appsmith
CWE
CWE-918
Server-Side Request Forgery (SSRF)
