XML-RPC Interface Vulnerability in Appsmith Dashboard Platform
CVE-2026-50189
8.9HIGH
What is CVE-2026-50189?
The Appsmith platform, designed for creating internal tools and dashboards, has a significant vulnerability affecting versions before 2.1. The bundled supervisord within Appsmith exposes an XML-RPC interface on port 9001, making it accessible externally through a Caddy reverse-proxy at /supervisor/*. This exposure allows authenticated administrators to leverage the insecure management of the APPSMITH_SUPERVISOR_PASSWORD, which can be retrieved via a simple GET request. As a consequence, malicious insiders can exploit this flaw to send arbitrary XML-RPC calls, leading to unauthorized OS command execution inside the Docker container. A fix has been implemented in version 2.1, emphasizing the need for users to upgrade promptly.
Affected Version(s)
appsmith < 2.1
