CRITICAL🇵🇱 Wersja polska

CVE-2024-55964

CVSS 9.8v3.1pub. 2025-03-26upd. 2025-04-01

An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. The attacker must be able to access Appsmith, login to it, create a datasource, create a query against that datasource, and execute that query.

🤖 AI Analysis
How it works

An attacker who has access to an Appsmith instance and can log in is able to create a new data source pointing to an internal, misconfigured PostgreSQL instance. Then they create a query to this data source and execute it, which leads to running arbitrary system commands inside the Docker container. The vulnerability stems from improper configuration of the PostgreSQL server embedded directly in the Appsmith image, not from a vulnerability in the database engine itself.

Impact

A successful attack allows the attacker to execute arbitrary commands inside the Appsmith container, which may lead to container takeover, data leakage, and potential lateral movement in the containerized environment.

Mitigation & patch

Appsmith must be updated to version 1.52 or newer. Detailed information is available in the official security advisory from the vendor: https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m95x-4w54-gc83

Who is affected

Appsmith versions prior to 1.52 running as a Docker container (Appsmith image containing an embedded PostgreSQL instance)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Appsmith

    APP
    Appsmith
    < 1.52
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-55454CRITICAL9.9PL ✓ten sam produkt

Appsmith: SSRF umożliwia przejęcie konfiguracji reverse proxy Caddy

CVE-2026-30862CRITICAL9.0PL ✓ten sam produkt

Stored XSS w Appsmith Table Widget prowadzący do przejęcia konta admina

CVE-2026-24042CRITICAL9.4PL ✓ten sam produkt

Appsmith: nieuwierzytelniony dostęp do akcji trybu edycji (brak autoryzacji)

CVE-2026-22794CRITICAL9.6PL ✓ten sam produkt

Appsmith: przejęcie konta przez manipulację nagłówkiem Origin w linkach e-mail

CVE-2026-50189HIGH8.9ten sam produkt

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled...