BIT-appsmith-2026-22794

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/appsmith/BIT-appsmith-2026-22794.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-appsmith-2026-22794

Aliases

CVE-2026-22794
GHSA-7hf5-mc28-xmcv

Published

2026-01-14T08:37:00.092Z

Modified

2026-01-14T09:26:20.801391Z

Summary

Account Takeover Vulnerability in Appsmith

Details

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.

Database specific

{
    "cpes": [
        "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
}

References

Affected packages

Bitnami / appsmith

Package

Name: appsmith
Purl: pkg:bitnami/appsmith

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.93.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/appsmith/BIT-appsmith-2026-22794.json"