CVE-2026-55454 | Appsmith is a platform to build admin panels, internal tools… | CVSS 9.9 CRITICAL

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.

Metadata

CVE ID: CVE-2026-55454
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 22:10 UTC
Published: 2026-06-24 21:38 UTC
Last updated: 2026-06-24 21:38 UTC
Primary CWE: CWE-749
CWE-749: Exposed Dangerous Method or Function
Vendor / Product: appsmithorg / appsmith
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
appsmithorg	appsmith	—	< 2.1

Weakness (CWE)

CWE	Source	Description
CWE-1188	cna	CWE-1188: Insecure Default Initialization of Resource
CWE-749	cna	CWE-749: Exposed Dangerous Method or Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc