BIT-appsmith-2026-55455

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/appsmith/BIT-appsmith-2026-55455.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-appsmith-2026-55455
Aliases
Published
2026-06-29T05:37:58.273Z
Modified
2026-07-08T08:26:09.227469649Z
Summary
Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
Details

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.

Database specific
{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / appsmith

Package

Name
appsmith
Purl
pkg:bitnami/appsmith

Severity

  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/appsmith/BIT-appsmith-2026-55455.json"