CVE-2026-55455
Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
| CWE | CWE-918 |
| Vendor | appsmithorg |
| Product | appsmith |
| Published | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for appsmithorg appsmith
Be the first to know when new unknown vulnerabilities affecting appsmithorg appsmith are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
appsmithorg / appsmith
< 2.1