Vulnerability Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Appsmith | Appsmith | < 2.1 |
Related Weaknesses (CWE)
References
- https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7pThird Party Advisory
- https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7pThird Party Advisory
FAQ
What is CVE-2026-55455?
CVE-2026-55455 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins...
How severe is CVE-2026-55455?
CVE-2026-55455 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-55455?
Check the references section above for vendor advisories and patch information. Affected products include: Appsmith Appsmith.