CVE Catalog

CVE-2026-55455

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

Appsmith before version 2.1 has a vulnerability due to insufficient IP address filtering in HTTP requests. The host blocking mechanism relies on an exact-match denylist rather than comprehensive address checks (e.g., loopback), allowing an authenticated user to send requests to loopback services inside the container.

Risk Assessment

The risk involves the possibility of SSRF (Server-Side Request Forgery) attacks by an authenticated user, which could lead to unauthorized access to internal services within the container, potentially exposing sensitive data or enabling further privilege escalation.

Recommendation

Immediately update Appsmith to version 2.1 or later, which includes a fix for this vulnerability. In the meantime, consider restricting access to REST API and GraphQL for untrusted users.

Original NVD description (English source)

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS