CRITICAL🇵🇱 Wersja polska

CVE-2026-55454

CVSS 9.9v3.1pub. 2026-06-24upd. 2026-06-26

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.

🤖 AI Analysis
How it works

The Caddy administrative API (by default without authentication) listens on address 0.0.0.0:2019 inside the Docker container. Although this port is not directly published to the host by docker-compose.yml, it is accessible from the Appsmith server process. An attacker with low privileges can use the SSRF vulnerability to send a POST request to the /load endpoint (or any other admin API call) to address http://0.0.0.0:2019/, allowing complete replacement of the active Caddy configuration.

Impact

An attacker can completely replace the configuration of the running Caddy reverse proxy, leading to takeover of control over application network traffic, potential data disclosure (C:H), modification or destruction of resources (I:H), and disruption of service availability (A:H) — with effects extending beyond container boundaries (Scope: Changed).

Mitigation & patch

Appsmith should be updated to version 2.1 or later, where the vulnerability has been fixed. Until the update, it is recommended to restrict network access to port 2019 inside the container and verify the docker-compose configuration for network isolation.

Who is affected

Appsmith in versions prior to 2.1, running in a containerized environment (Docker).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Appsmith

    APP
    Appsmith
    < 2.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRFContainer
CWE
References

Related vulnerabilities

CVE-2026-30862CRITICAL9.0PL ✓ten sam produkt

Stored XSS w Appsmith Table Widget prowadzący do przejęcia konta admina

CVE-2026-24042CRITICAL9.4PL ✓ten sam produkt

Appsmith: nieuwierzytelniony dostęp do akcji trybu edycji (brak autoryzacji)

CVE-2026-22794CRITICAL9.6PL ✓ten sam produkt

Appsmith: przejęcie konta przez manipulację nagłówkiem Origin w linkach e-mail

CVE-2024-55964CRITICAL9.8PL ✓ten sam produkt

Appsmith: RCE przez błędnie skonfigurowany PostgreSQL w kontenerze Docker

CVE-2026-50189HIGH8.9ten sam produkt

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled...