Vulnerability Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-49979?
CVE-2026-49979 is a documented vulnerability. Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values an...
How severe is CVE-2026-49979?
CVSS scoring is not yet available for CVE-2026-49979. Check NVD for updates.
Is there a patch for CVE-2026-49979?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.