CVE-2026-55455

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*

History

26 Jun 2026, 19:50

Type Values Removed Values Added
First Time Appsmith
Appsmith appsmith
CPE cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.1
References () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p - () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p - Third Party Advisory

25 Jun 2026, 14:16

Type Values Removed Values Added
References () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p - () https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p -

24 Jun 2026, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 22:16

Updated : 2026-06-26 19:50


NVD link : CVE-2026-55455

Mitre link : CVE-2026-55455

CVE.ORG link : CVE-2026-55455


JSON object : View

Products Affected

appsmith

  • appsmith
CWE
CWE-918

Server-Side Request Forgery (SSRF)