CVE-2026-24042

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24042
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24042.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24042
Aliases
Published
2026-01-22T03:52:54.463Z
Modified
2026-01-29T09:26:17.654024Z
Severity
  • 9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Appsmith public apps can execute unpublished actions (viewMode confusion)
Details

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

Database specific 
{
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24042.json"
}
References

Affected packages

Git / github.com/appsmithorg/appsmith

Affected ranges

Type
GIT
Repo
https://github.com/appsmithorg/appsmith
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c9ef50cc5ad7f5e16b8f5bee8a21f1f73677586c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.94"
        }
    ]
}

Affected versions

V1.*
V1.22
v.*
v.1.6.23
v.1.6.25
v1.*
v1.0
v1.0-beta.2
v1.0.0-beta
v1.0.0-beta.1
v1.0.1
v1.0.2
v1.1
v1.10
v1.11
v1.12
v1.13
v1.14
v1.15
v1.16
v1.17
v1.18
v1.19
v1.2
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.2.18
v1.2.19
v1.2.2
v1.2.20
v1.2.21
v1.2.22
v1.2.23
v1.2.24
v1.2.25
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.20
v1.21
v1.22.1
v1.23
v1.24
v1.25
v1.26
v1.27
v1.28
v1.29
v1.3
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.5.1
v1.30
v1.31
v1.32
v1.33
v1.34
v1.35
v1.36
v1.36.1
v1.37
v1.38
v1.38.1
v1.39
v1.4
v1.4.1
v1.4.10
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.40
v1.41
v1.42
v1.43
v1.44
v1.45
v1.46
v1.47
v1.48
v1.49
v1.5
v1.5.1
v1.5.10
v1.5.17
v1.5.18
v1.5.19
v1.5.2
v1.5.20
v1.5.21
v1.5.22
v1.5.23
v1.5.24
v1.5.25
v1.5.26
v1.5.27
v1.5.28
v1.5.29
v1.5.3
v1.5.3.1
v1.5.3.2
v1.5.3.3
v1.5.30
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.50
v1.51
v1.52
v1.53
v1.54
v1.55
v1.56
v1.57
v1.58
v1.59
v1.6.0
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.13
v1.6.14
v1.6.15
v1.6.16
v1.6.17
v1.6.18
v1.6.19
v1.6.2
v1.6.20
v1.6.21
v1.6.22
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.60
v1.61
v1.62
v1.63
v1.64
v1.65
v1.66
v1.67
v1.68
v1.69
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.70
v1.71
v1.72
v1.73
v1.74
v1.75
v1.76
v1.77
v1.78
v1.79
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.14
v1.8.14.1
v1.8.15
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.80
v1.81
v1.82
v1.83
v1.84
v1.85
v1.86
v1.88
v1.89
v1.9.0
v1.9.1
v1.9.10
v1.9.11
v1.9.12
v1.9.13
v1.9.14
v1.9.15
v1.9.16
v1.9.17
v1.9.18
v1.9.19
v1.9.2
v1.9.20
v1.9.20.2
v1.9.20.3
v1.9.20.4
v1.9.21
v1.9.22
v1.9.23
v1.9.24
v1.9.25
v1.9.26
v1.9.27
v1.9.28
v1.9.29
v1.9.3
v1.9.3.1
v1.9.30
v1.9.31
v1.9.32
v1.9.33
v1.9.34
v1.9.35
v1.9.36
v1.9.37
v1.9.37.1
v1.9.38
v1.9.39
v1.9.4
v1.9.40
v1.9.41
v1.9.42
v1.9.43
v1.9.44
v1.9.45
v1.9.46
v1.9.47
v1.9.48
v1.9.49
v1.9.5
v1.9.50
v1.9.51
v1.9.52
v1.9.53
v1.9.54
v1.9.55
v1.9.56
v1.9.57
v1.9.58
v1.9.6
v1.9.60
v1.9.61
v1.9.7
v1.9.8
v1.9.9
v1.90
v1.91
v1.92
v1.93
v1.94

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24042.json"