CVE-2026-55454

CRITICAL 9.9

Appsmith: Caddy admin API exposed without authentication

CVSS Score

9.9

EPSS Score

0.0%

EPSS Percentile

0th

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.

CWE	CWE-749 CWE-1188
Vendor	appsmithorg
Product	appsmith
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for appsmithorg appsmith

Be the first to know when new critical vulnerabilities affecting appsmithorg appsmith are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

appsmithorg / appsmith

< 2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc