XML-RPC Interface Vulnerability in Appsmith Dashboard Platform
CVE-2026-50189

8.9HIGH

Key Information:

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-50189?

The Appsmith platform, designed for creating internal tools and dashboards, has a significant vulnerability affecting versions before 2.1. The bundled supervisord within Appsmith exposes an XML-RPC interface on port 9001, making it accessible externally through a Caddy reverse-proxy at /supervisor/*. This exposure allows authenticated administrators to leverage the insecure management of the APPSMITH_SUPERVISOR_PASSWORD, which can be retrieved via a simple GET request. As a consequence, malicious insiders can exploit this flaw to send arbitrary XML-RPC calls, leading to unauthorized OS command execution inside the Docker container. A fix has been implemented in version 2.1, emphasizing the need for users to upgrade promptly.

Affected Version(s)

appsmith < 2.1

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.