CVE-2026-55454
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
In Appsmith before version 2.1, the bundled Caddy reverse-proxy exposes an unauthenticated admin API on port 2019 inside the container. A low-privileged authenticated user can exploit an SSRF vulnerability to send a POST /load request to this API, fully replacing the live Caddy configuration and taking over the reverse proxy.
Risk Assessment
An attacker can take over the reverse proxy, allowing traffic redirection, data eavesdropping, or further attacks on internal application resources.
Recommendation
Immediately update Appsmith to version 2.1 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.

