Platform
other
Component
appsmith
Fixed in
1.98.0
CVE-2026-34411 describes a vulnerability in Appsmith versions prior to 1.98.0 where sensitive instance management API endpoints are exposed without authentication. Attackers can leverage these endpoints to retrieve valuable configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains. This information can be used for reconnaissance and planning targeted attacks against Appsmith deployments. The vulnerability is fixed in version 1.98.0.
The primary impact of CVE-2026-34411 is the exposure of sensitive information that can be used for reconnaissance and targeted attacks. An attacker can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to obtain configuration details, license information, and crucially, unsalted SHA-256 hashes of admin email domains. These hashes, while not passwords, can be used in brute-force or dictionary attacks against other systems where the same email addresses and weak passwords are used. The ability to enumerate admin email domains allows attackers to tailor phishing campaigns or other social engineering attacks specifically targeting Appsmith administrators. The lack of authentication means that any user, even without an Appsmith account, can access these endpoints.
CVE-2026-34411 was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 5.3 (MEDIUM) indicates a moderate probability of exploitation, particularly given the ease of access to the vulnerable endpoints.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34411 is to upgrade Appsmith to version 1.98.0 or later, which includes the authentication fixes. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the vulnerable API endpoints using a web application firewall (WAF) or proxy server. Configure the WAF/proxy to block requests to /api/v1/consolidated-api/view and /api/v1/tenants/current that do not originate from trusted sources. Regularly review Appsmith's access control lists to ensure only authorized users have access to sensitive resources. After upgrading, confirm the fix by attempting to access the vulnerable endpoints with an unauthenticated request; the request should now be denied.
Update Appsmith to version 1.98.0 or later. This version fixes the vulnerability that allows unauthenticated access to instance management APIs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34411 is a vulnerability in Appsmith versions 0.0–1.98.0 that allows unauthenticated attackers to retrieve sensitive configuration data and admin email hashes via exposed API endpoints.
You are affected if you are using Appsmith versions 0.0 through 1.98.0. Upgrade to 1.98.0 or later to mitigate the risk.
Upgrade Appsmith to version 1.98.0 or later. As a temporary workaround, restrict access to the vulnerable API endpoints using a WAF or proxy.
There is currently no indication of active exploitation, but the ease of access to the vulnerable endpoints warrants immediate attention.
Refer to the Appsmith security advisory for detailed information and updates: [https://appsmith.com/security](https://appsmith.com/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.