CVE-2026-34411
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk31th percentile - higher than 31% of all known CVEs
Summary
A vulnerability in Appsmith versions prior to 1.98 exposes sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains.
Risk Assessment
The risk involves reconnaissance and targeted attack planning by unauthorized users, potentially leading to data leakage and security breaches of the instance.
Recommendation
Immediately upgrade Appsmith to version 1.98 or later, which fixes this vulnerability. Additionally, restrict access to management APIs using a firewall or access control lists.
Original NVD description (English source)
Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

