CVE-2026-55455 | Appsmith is a platform to build admin panels, internal tools… | CVSS 5.3 MEDIUM

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.

Metadata

CVE ID: CVE-2026-55455
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 22:10 UTC
Published: 2026-06-24 21:36 UTC
Last updated: 2026-06-24 21:36 UTC
Primary CWE: CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product: appsmithorg / appsmith
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
appsmithorg	appsmith	—	< 2.1

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p