CVE Catalog

CVE-2026-34411

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile - higher than 31% of all known CVEs

Summary

A vulnerability in Appsmith versions prior to 1.98 exposes sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains.

Risk Assessment

The risk involves reconnaissance and targeted attack planning by unauthorized users, potentially leading to data leakage and security breaches of the instance.

Recommendation

Immediately upgrade Appsmith to version 1.98 or later, which fixes this vulnerability. Additionally, restrict access to management APIs using a firewall or access control lists.

Original NVD description (English source)

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS