BIT-appsmith-2026-24042

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/appsmith/BIT-appsmith-2026-24042.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-appsmith-2026-24042

Published

2026-01-29T08:36:35.250Z

Modified

2026-01-29T09:15:19.613915Z

Summary

Appsmith public apps can execute unpublished actions (viewMode confusion)

Details

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / appsmith

Package

Name: appsmith
Purl: pkg:bitnami/appsmith

Severity

9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.95.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/appsmith/BIT-appsmith-2026-24042.json"