CVE-2026-50189
Appsmith: RCE via Supervisord XML-RPC Admin Interface Exposed via /supervisor Caddy Route
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.
| CWE | CWE-183 CWE-918 |
| Vendor | appsmithorg |
| Product | appsmith |
| Published | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for appsmithorg appsmith
Be the first to know when new unknown vulnerabilities affecting appsmithorg appsmith are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
appsmithorg / appsmith
< 2.1