Outbound HTTP Host Filtering Issue in Appsmith Platform
CVE-2026-55455
What is CVE-2026-55455?
Appsmith is a popular platform designed for building admin panels, internal tools, and dashboards. However, versions prior to 2.1 have a vulnerability in the outbound HTTP host filter implemented by WebClientUtils, which is used by both the REST API and GraphQL datasource plugins. The filter relies on an exact-match string denylist for host validation, which does not comprehensively check against all address classes. While a separate code path used for SMTP includes checks for loopback and local addresses, the HTTP plugin path lacks this safeguard. Consequently, an authenticated user could exploit this flaw to send malicious outbound requests that target loopback-bound services within the container, potentially leading to unauthorized access or data exposure. This vulnerability was addressed in version 2.1 of the Appsmith platform.
Affected Version(s)
appsmith < 2.1
