Appsmith: SSRF in REST API / GraphQL datasource plugins via...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.

Basic Information

ID CVE-2026-55455

Source GitHub_M

Published Jun 24, 2026 at 21:36

Affected Product

Vendor appsmithorg

Product appsmith

Version < 2.1

Affected Versions appsmithorg appsmith < 2.1

CWE Classification

CWE-918

References

github.com /appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p

{
    "lastseen": "",
    "description": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.",
    "published": "2026-06-24T21:36:21.863Z",
    "modified": "2026-06-24T21:36:21.863Z",
    "type": "cve",
    "title": "Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist",
    "source": "GitHub_M",
    "references": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p",
    "id": "CVE-2026-55455",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "appsmithorg appsmith < 2.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "appsmith",
    "version": "< 2.1",
    "vendor": "appsmithorg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist_CVE-2026-55455