CVE-2026-55455
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
Appsmith before version 2.1 has a vulnerability due to insufficient IP address filtering in HTTP requests. The host blocking mechanism relies on an exact-match denylist rather than comprehensive address checks (e.g., loopback), allowing an authenticated user to send requests to loopback services inside the container.
Risk Assessment
The risk involves the possibility of SSRF (Server-Side Request Forgery) attacks by an authenticated user, which could lead to unauthorized access to internal services within the container, potentially exposing sensitive data or enabling further privilege escalation.
Recommendation
Immediately update Appsmith to version 2.1 or later, which includes a fix for this vulnerability. In the meantime, consider restricting access to REST API and GraphQL for untrusted users.
Original NVD description (English source)
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.

