CVE-2026-55455

CRITICAL

Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist

Title source: cna
STIX 2.1

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.

References (1)

Core 1
Core References

Scores

CVSS v3 9.1
EPSS 0.0022
EPSS Percentile 12.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (2)
appsmith/appsmith < 2.1
appsmithorg/appsmith < 2.1
Published Jun 24, 2026
Tracked Since Jun 25, 2026