Plataforma
java
Componente
appsmith
Corregido en
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
1.9.1
1.10.1
1.11.1
1.12.1
1.13.1
1.14.1
1.15.1
1.16.1
1.17.1
1.18.1
1.19.1
1.20.1
1.21.1
1.22.1
1.23.1
1.24.1
1.25.1
1.26.1
1.27.1
1.28.1
1.29.1
1.30.1
1.31.1
1.32.1
1.33.1
1.34.1
1.35.1
1.36.1
1.37.1
1.38.1
1.39.1
1.40.1
1.41.1
1.42.1
1.43.1
1.44.1
1.45.1
1.46.1
1.47.1
1.48.1
1.49.1
1.50.1
1.51.1
1.52.1
1.53.1
1.54.1
1.55.1
1.56.1
1.57.1
1.58.1
1.59.1
1.60.1
1.61.1
1.62.1
1.63.1
1.64.1
1.65.1
1.66.1
1.67.1
1.68.1
1.69.1
1.70.1
1.71.1
1.72.1
1.73.1
1.74.1
1.75.1
1.76.1
1.77.1
1.78.1
1.79.1
1.80.1
1.81.1
1.82.1
1.83.1
1.84.1
1.85.1
1.86.1
1.87.1
1.88.1
1.89.1
1.90.1
1.91.1
1.92.1
1.93.1
1.94.1
1.95.1
1.96.1
1.99
CVE-2026-5418 is a server-side request forgery (SSRF) vulnerability affecting Appsmith versions 1.0 through 1.97. This flaw allows attackers to manipulate the computeDisallowedHosts function within the WebClientUtils.java component, potentially leading to unauthorized access to internal resources. The vulnerability has a CVSS score of 7.3 (HIGH) and a publicly available exploit exists, making it a significant security concern. Upgrade to version 1.99 to resolve this issue.
The SSRF vulnerability in Appsmith allows an attacker to craft malicious requests that originate from the Appsmith server itself. This can be exploited to access internal services and resources that are not directly accessible from the outside world. For example, an attacker could potentially access internal APIs, databases, or other sensitive systems. The ability to make requests as the server opens up a broad attack surface. Given the availability of a public exploit, the risk of exploitation is elevated, and organizations using vulnerable versions of Appsmith should prioritize remediation. The potential for data exfiltration and lateral movement within the network is significant.
CVE-2026-5418 is actively being tracked and a public proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was disclosed on 2026-04-02. The vendor responded quickly and released a patch. While no confirmed exploitation campaigns have been publicly reported, the availability of a PoC significantly increases the risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations deploying Appsmith in environments with internal services accessible via HTTP or HTTPS are at risk. This includes deployments where Appsmith is used to integrate with internal APIs or databases. Shared hosting environments where Appsmith instances share the same network infrastructure are particularly vulnerable, as a successful exploit could potentially compromise other systems on the same network.
• linux / server:
journalctl -u appsmith -g 'computeDisallowedHosts' | grep -i error• generic web:
curl -I <appsmith_url>/api/v1/dashboards/some_dashboard | grep -i 'Server:'• generic web:
curl -I <appsmith_url>/api/v1/dashboards/some_dashboard | grep -i 'X-Powered-By:'disclosure
patch
Estado del Exploit
EPSS
0.05% (17% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-5418 is to upgrade Appsmith to version 1.99 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting outbound network access from the Appsmith server using a firewall or proxy. Carefully review and restrict the allowed domains for outbound requests within Appsmith's configuration. Implement strict input validation on any user-supplied data that is used to construct URLs. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability using known exploit techniques and verifying that the requests are blocked.
Actualizar Appsmith a la versión 1.99 o superior. Esta versión corrige la vulnerabilidad de Server-Side Request Forgery (SSRF) en el componente Dashboard.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-5418 is a server-side request forgery (SSRF) vulnerability affecting Appsmith versions 1.0 through 1.97, allowing attackers to make requests from the server.
If you are using Appsmith versions 1.0 through 1.97, you are affected by this vulnerability and should upgrade immediately.
Upgrade Appsmith to version 1.99 or later to resolve the SSRF vulnerability. Consider temporary workarounds like restricting outbound network access if immediate upgrade is not possible.
A public proof-of-concept exploit is available, indicating a high probability of exploitation. Monitor for any signs of active campaigns.
Refer to the Appsmith security advisory for detailed information and updates regarding CVE-2026-5418: [https://appsmith.com/security](https://appsmith.com/security)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.