Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-55454— Appsmith: Caddy admin API exposed without authentication

CVSS 9.9 · Critical EPSS 0.33% · P25

Affected Version Matrix 1

VendorProductVersion RangeStatus
appsmithorgappsmith< 2.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-55454

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Appsmith: Caddy admin API exposed without authentication
Source: NVD (National Vulnerability Database)
Vulnerability Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
暴露危险的方法或函数
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
appsmithorgappsmith < 2.1 -

II. Public POCs for CVE-2026-55454

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-55454

登录查看更多情报信息。

Vendor Advisories for CVE-2026-55454 (1)

Same Patch Batch · appsmithorg · 2026-06-24 · 4 CVEs total

CVE-2026-49979Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP F
CVE-2026-50189Appsmith: RCE via Supervisord XML-RPC Admin Interface Exposed via /supervisor Caddy Route
CVE-2026-55455Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist

IV. Related Vulnerabilities

V. Comments for CVE-2026-55454

No comments yet


Leave a comment