CVE-2026-34411
Appsmith < 1.98 Unauthenticated Instance Configuration Disclosure via Management APIs
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.9EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
27 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
Appsmith · Appsmith