CVE-2026-55455
CRITICALAppsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
Title source: cnaDescription
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p
Scores
CVSS v3
9.1
EPSS
0.0022
EPSS Percentile
12.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
appsmith/appsmith
< 2.1
appsmithorg/appsmith
< 2.1
Published
Jun 24, 2026
Tracked Since
Jun 25, 2026