Plattform
other
Komponente
appsmith
Behoben in
1.98.0
CVE-2026-34411 describes a vulnerability in Appsmith versions prior to 1.98.0 where sensitive instance management API endpoints are exposed without authentication. Attackers can leverage these endpoints to retrieve valuable configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains. This information can be used for reconnaissance and planning targeted attacks against Appsmith deployments. The vulnerability is fixed in version 1.98.0.
The primary impact of CVE-2026-34411 is the exposure of sensitive information that can be used for reconnaissance and targeted attacks. An attacker can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to obtain configuration details, license information, and crucially, unsalted SHA-256 hashes of admin email domains. These hashes, while not passwords, can be used in brute-force or dictionary attacks against other systems where the same email addresses and weak passwords are used. The ability to enumerate admin email domains allows attackers to tailor phishing campaigns or other social engineering attacks specifically targeting Appsmith administrators. The lack of authentication means that any user, even without an Appsmith account, can access these endpoints.
CVE-2026-34411 was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 5.3 (MEDIUM) indicates a moderate probability of exploitation, particularly given the ease of access to the vulnerable endpoints.
Organizations using Appsmith versions 0.0 through 1.98.0, particularly those with publicly accessible Appsmith instances or those who rely on Appsmith for sensitive data processing, are at risk. Shared hosting environments where Appsmith instances may be exposed to a wider range of potential attackers are also at increased risk.
disclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34411 is to upgrade Appsmith to version 1.98.0 or later, which includes the authentication fixes. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the vulnerable API endpoints using a web application firewall (WAF) or proxy server. Configure the WAF/proxy to block requests to /api/v1/consolidated-api/view and /api/v1/tenants/current that do not originate from trusted sources. Regularly review Appsmith's access control lists to ensure only authorized users have access to sensitive resources. After upgrading, confirm the fix by attempting to access the vulnerable endpoints with an unauthenticated request; the request should now be denied.
Aktualisieren Sie Appsmith auf Version 1.98.0 oder höher. Diese Version behebt die Schwachstelle, die unauthentifizierten Zugriff auf die Instance-Management-APIs ermöglicht.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34411 is a vulnerability in Appsmith versions 0.0–1.98.0 that allows unauthenticated attackers to retrieve sensitive configuration data and admin email hashes via exposed API endpoints.
You are affected if you are using Appsmith versions 0.0 through 1.98.0. Upgrade to 1.98.0 or later to mitigate the risk.
Upgrade Appsmith to version 1.98.0 or later. As a temporary workaround, restrict access to the vulnerable API endpoints using a WAF or proxy.
There is currently no indication of active exploitation, but the ease of access to the vulnerable endpoints warrants immediate attention.
Refer to the Appsmith security advisory for detailed information and updates: [https://appsmith.com/security](https://appsmith.com/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.