CVE-2026-34411

Medium CVSS: 6.9

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

Vendor

Appsmith

Product

Appsmith

CWE

CWE-306

Yayın Tarihi

2026-03-27 17:16:30

Güncelleme

2026-03-31 16:26:41

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-306 Appsmith MEDIUM Appsmith 2026

Referanslar

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-qvvc-prjx-f85j https://www.vulncheck.com/advisories/appsmith-unauthenticated-instance-configuration-disclosure-via-management-apis

Benzer Kayıtlar

Critical

CVE-2026-30862

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulne…

Critical

CVE-2026-24042

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly acces…

Critical

CVE-2026-22794

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin…

Medium

CVE-2024-55965

An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development in…

Medium

CVE-2024-55963

An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the…

Critical

CVE-2024-55964

An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image lea…