CVE-2026-49979
Appsmith: SSRF via `POST /api/v1/admin/send-test-email` โ JavaMail Bypasses WebClient IP Filter
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.
| CWE | CWE-209 CWE-918 |
| Vendor | appsmithorg |
| Product | appsmith |
| Published | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for appsmithorg appsmith
Be the first to know when new unknown vulnerabilities affecting appsmithorg appsmith are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
appsmithorg / appsmith
< 1.99