Outbound HTTP Host Filtering Issue in Appsmith Platform
CVE-2026-55455

5.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-55455?

Appsmith is a popular platform designed for building admin panels, internal tools, and dashboards. However, versions prior to 2.1 have a vulnerability in the outbound HTTP host filter implemented by WebClientUtils, which is used by both the REST API and GraphQL datasource plugins. The filter relies on an exact-match string denylist for host validation, which does not comprehensively check against all address classes. While a separate code path used for SMTP includes checks for loopback and local addresses, the HTTP plugin path lacks this safeguard. Consequently, an authenticated user could exploit this flaw to send malicious outbound requests that target loopback-bound services within the container, potentially leading to unauthorized access or data exposure. This vulnerability was addressed in version 2.1 of the Appsmith platform.

Affected Version(s)

appsmith < 2.1

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.