Vulnerability Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Appsmith | Appsmith | < 2.1 |
Related Weaknesses (CWE)
References
- https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjcExploitThird Party Advisory
- https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjcExploitThird Party Advisory
FAQ
What is CVE-2026-55454?
CVE-2026-55454 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2...
How severe is CVE-2026-55454?
CVE-2026-55454 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-55454?
Check the references section above for vendor advisories and patch information. Affected products include: Appsmith Appsmith.