CVE Catalog

CVE-2026-55454

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile — higher than 25% of all known CVEs

Summary

In Appsmith before version 2.1, the bundled Caddy reverse-proxy exposes an unauthenticated admin API on port 2019 inside the container. A low-privileged authenticated user can exploit an SSRF vulnerability to send a POST /load request to this API, fully replacing the live Caddy configuration and taking over the reverse proxy.

Risk Assessment

An attacker can take over the reverse proxy, allowing traffic redirection, data eavesdropping, or further attacks on internal application resources.

Recommendation

Immediately update Appsmith to version 2.1 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS