CVE Catalog

CVE-2026-50189

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

Appsmith before version 2.1 exposes the supervisord XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup.

Risk Assessment

The risk is remote code execution by an authenticated administrator, potentially leading to full container compromise and lateral movement within the infrastructure.

Recommendation

Immediately upgrade Appsmith to version 2.1 or later, which fixes this vulnerability. Additionally, restrict access to the /supervisor/* path and the XML-RPC interface to trusted networks only.

Original NVD description (English source)

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS