HIGHCVE-2026-5418CVSS 7.3

CVE-2026-5418: SSRF in Appsmith 1.0 - 1.97

Platform

java

Component

appsmith

Fixed in

1.0.1

1.1.1

1.2.1

1.3.1

1.4.1

1.5.1

1.6.1

1.7.1

1.8.1

1.9.1

1.10.1

1.11.1

1.12.1

1.13.1

1.14.1

1.15.1

1.16.1

1.17.1

1.18.1

1.19.1

1.20.1

1.21.1

1.22.1

1.23.1

1.24.1

1.25.1

1.26.1

1.27.1

1.28.1

1.29.1

1.30.1

1.31.1

1.32.1

1.33.1

1.34.1

1.35.1

1.36.1

1.37.1

1.38.1

1.39.1

1.40.1

1.41.1

1.42.1

1.43.1

1.44.1

1.45.1

1.46.1

1.47.1

1.48.1

1.49.1

1.50.1

1.51.1

1.52.1

1.53.1

1.54.1

1.55.1

1.56.1

1.57.1

1.58.1

1.59.1

1.60.1

1.61.1

1.62.1

1.63.1

1.64.1

1.65.1

1.66.1

1.67.1

1.68.1

1.69.1

1.70.1

1.71.1

1.72.1

1.73.1

1.74.1

1.75.1

1.76.1

1.77.1

1.78.1

1.79.1

1.80.1

1.81.1

1.82.1

1.83.1

1.84.1

1.85.1

1.86.1

1.87.1

1.88.1

1.89.1

1.90.1

1.91.1

1.92.1

1.93.1

1.94.1

1.95.1

1.96.1

1.99

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-5418 is a server-side request forgery (SSRF) vulnerability affecting Appsmith versions 1.0 through 1.97. This flaw allows attackers to manipulate the computeDisallowedHosts function within the WebClientUtils.java component, potentially leading to unauthorized access to internal resources. The vulnerability has a CVSS score of 7.3 (HIGH) and a publicly available exploit exists, making it a significant security concern. Upgrade to version 1.99 to resolve this issue.

Impact and Attack Scenarios

The SSRF vulnerability in Appsmith allows an attacker to craft malicious requests that originate from the Appsmith server itself. This can be exploited to access internal services and resources that are not directly accessible from the outside world. For example, an attacker could potentially access internal APIs, databases, or other sensitive systems. The ability to make requests as the server opens up a broad attack surface. Given the availability of a public exploit, the risk of exploitation is elevated, and organizations using vulnerable versions of Appsmith should prioritize remediation. The potential for data exfiltration and lateral movement within the network is significant.

Exploitation Context

CVE-2026-5418 is actively being tracked and a public proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was disclosed on 2026-04-02. The vendor responded quickly and released a patch. While no confirmed exploitation campaigns have been publicly reported, the availability of a PoC significantly increases the risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.05% (17% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componentappsmith

Vendorappsmithorg

Affected rangeFixed in

1.0 – 1.01.0.1

1.1 – 1.11.1.1

1.2 – 1.21.2.1

1.3 – 1.31.3.1

1.4 – 1.41.4.1

1.5 – 1.51.5.1

1.6 – 1.61.6.1

1.7 – 1.71.7.1

1.8 – 1.81.8.1

1.9 – 1.91.9.1

1.10 – 1.101.10.1

1.11 – 1.111.11.1

1.12 – 1.121.12.1

1.13 – 1.131.13.1

1.14 – 1.141.14.1

1.15 – 1.151.15.1

1.16 – 1.161.16.1

1.17 – 1.171.17.1

1.18 – 1.181.18.1

1.19 – 1.191.19.1

1.20 – 1.201.20.1

1.21 – 1.211.21.1

1.22 – 1.221.22.1

1.23 – 1.231.23.1

1.24 – 1.241.24.1

1.25 – 1.251.25.1

1.26 – 1.261.26.1

1.27 – 1.271.27.1

1.28 – 1.281.28.1

1.29 – 1.291.29.1

1.30 – 1.301.30.1

1.31 – 1.311.31.1

1.32 – 1.321.32.1

1.33 – 1.331.33.1

1.34 – 1.341.34.1

1.35 – 1.351.35.1

1.36 – 1.361.36.1

1.37 – 1.371.37.1

1.38 – 1.381.38.1

1.39 – 1.391.39.1

1.40 – 1.401.40.1

1.41 – 1.411.41.1

1.42 – 1.421.42.1

1.43 – 1.431.43.1

1.44 – 1.441.44.1

1.45 – 1.451.45.1

1.46 – 1.461.46.1

1.47 – 1.471.47.1

1.48 – 1.481.48.1

1.49 – 1.491.49.1

1.50 – 1.501.50.1

1.51 – 1.511.51.1

1.52 – 1.521.52.1

1.53 – 1.531.53.1

1.54 – 1.541.54.1

1.55 – 1.551.55.1

1.56 – 1.561.56.1

1.57 – 1.571.57.1

1.58 – 1.581.58.1

1.59 – 1.591.59.1

1.60 – 1.601.60.1

1.61 – 1.611.61.1

1.62 – 1.621.62.1

1.63 – 1.631.63.1

1.64 – 1.641.64.1

1.65 – 1.651.65.1

1.66 – 1.661.66.1

1.67 – 1.671.67.1

1.68 – 1.681.68.1

1.69 – 1.691.69.1

1.70 – 1.701.70.1

1.71 – 1.711.71.1

1.72 – 1.721.72.1

1.73 – 1.731.73.1

1.74 – 1.741.74.1

1.75 – 1.751.75.1

1.76 – 1.761.76.1

1.77 – 1.771.77.1

1.78 – 1.781.78.1

1.79 – 1.791.79.1

1.80 – 1.801.80.1

1.81 – 1.811.81.1

1.82 – 1.821.82.1

1.83 – 1.831.83.1

1.84 – 1.841.84.1

1.85 – 1.851.85.1

1.86 – 1.861.86.1

1.87 – 1.871.87.1

1.88 – 1.881.88.1

1.89 – 1.891.89.1

1.90 – 1.901.90.1

1.91 – 1.911.91.1

1.92 – 1.921.92.1

1.93 – 1.931.93.1

1.94 – 1.941.94.1

1.95 – 1.951.95.1

1.96 – 1.961.96.1

1.97 – 1.971.99

Weakness Classification (CWE)

CWE-918

Timeline

Reserved2026-04-02
Published2026-04-02
Modified2026-04-03
EPSS updated2026-04-10

Mitigation and Workarounds

The primary mitigation for CVE-2026-5418 is to upgrade Appsmith to version 1.99 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting outbound network access from the Appsmith server using a firewall or proxy. Carefully review and restrict the allowed domains for outbound requests within Appsmith's configuration. Implement strict input validation on any user-supplied data that is used to construct URLs. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability using known exploit techniques and verifying that the requests are blocked.

How to fix

Update Appsmith to version 1.99 or higher. This version fixes the Server-Side Request Forgery (SSRF) vulnerability in the Dashboard component.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5418 — SSRF in Appsmith?

CVE-2026-5418 is a server-side request forgery (SSRF) vulnerability affecting Appsmith versions 1.0 through 1.97, allowing attackers to make requests from the server.

Am I affected by CVE-2026-5418 in Appsmith?

If you are using Appsmith versions 1.0 through 1.97, you are affected by this vulnerability and should upgrade immediately.

How do I fix CVE-2026-5418 in Appsmith?

Upgrade Appsmith to version 1.99 or later to resolve the SSRF vulnerability. Consider temporary workarounds like restricting outbound network access if immediate upgrade is not possible.

Is CVE-2026-5418 being actively exploited?

A public proof-of-concept exploit is available, indicating a high probability of exploitation. Monitor for any signs of active campaigns.

Where can I find the official Appsmith advisory for CVE-2026-5418?

Refer to the Appsmith security advisory for detailed information and updates regarding CVE-2026-5418: [https://appsmith.com/security](https://appsmith.com/security)

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Supported formats: pom.xml · build.gradle

Scan free

Search CVEs

Upload pom.xml

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.