CVE-2026-24042
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute unpublished edit-mode actions in publicly accessible Appsmith applications. Attackers can access sensitive data, run unauthorized queries and APIs, and trigger unintended side effects. All Appsmith deployments with publicly accessible apps running versions 1.94 or below are affected.
💻 Affected Systems
- Appsmith
📦 What is this software?
Appsmith by Appsmith
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of application data including sensitive development information, execution of arbitrary database queries, unauthorized API calls, and potential data exfiltration or destruction.
Likely Case
Unauthorized access to development data, exposure of database credentials or API keys stored in edit-mode actions, and execution of unintended business logic.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent public access to Appsmith instances.
🎯 Exploit Status
Exploitation requires only HTTP POST requests to /api/v1/actions/execute with viewMode=false parameter or omitted. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883
Restart Required: No
Instructions:
No official patch available. Monitor Appsmith releases for security updates and apply immediately when available.
🔧 Temporary Workarounds
Restrict Public Access
allConfigure Appsmith instances to be accessible only from trusted networks using firewall rules or network security groups.
Implement Reverse Proxy Authentication
allPlace Appsmith behind a reverse proxy that requires authentication before reaching the application.
🧯 If You Can't Patch
- Disable public access to Appsmith instances immediately
- Implement network segmentation to isolate Appsmith from sensitive data sources
🔍 How to Verify
Check if Vulnerable:
Check if Appsmith version is 1.94 or below and if apps are publicly accessible. Test by sending POST request to /api/v1/actions/execute with viewMode=false to unpublished actions.Check Version:
Check Appsmith admin panel or container image tag for version information.Verify Fix Applied:
Verify Appsmith version is above 1.94 when patch becomes available. Test that unpublished actions cannot be executed without proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/v1/actions/execute from unauthenticated users
- Failed authentication attempts followed by successful action executions
Network Indicators:
- HTTP POST requests to /api/v1/actions/execute with viewMode=false parameter from unexpected sources
SIEM Query:
source="appsmith" AND (url_path="/api/v1/actions/execute" AND http_method="POST") AND (user="anonymous" OR auth_status="failed")