プラットフォーム
other
コンポーネント
appsmith
修正版
1.98.0
CVE-2026-34411 describes a vulnerability in Appsmith versions prior to 1.98.0 where sensitive instance management API endpoints are exposed without authentication. Attackers can leverage these endpoints to retrieve valuable configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains. This information can be used for reconnaissance and planning targeted attacks against Appsmith deployments. The vulnerability is fixed in version 1.98.0.
The primary impact of CVE-2026-34411 is the exposure of sensitive information that can be used for reconnaissance and targeted attacks. An attacker can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to obtain configuration details, license information, and crucially, unsalted SHA-256 hashes of admin email domains. These hashes, while not passwords, can be used in brute-force or dictionary attacks against other systems where the same email addresses and weak passwords are used. The ability to enumerate admin email domains allows attackers to tailor phishing campaigns or other social engineering attacks specifically targeting Appsmith administrators. The lack of authentication means that any user, even without an Appsmith account, can access these endpoints.
CVE-2026-34411 was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 5.3 (MEDIUM) indicates a moderate probability of exploitation, particularly given the ease of access to the vulnerable endpoints.
Organizations using Appsmith versions 0.0 through 1.98.0, particularly those with publicly accessible Appsmith instances or those who rely on Appsmith for sensitive data processing, are at risk. Shared hosting environments where Appsmith instances may be exposed to a wider range of potential attackers are also at increased risk.
disclosure
エクスプロイト状況
EPSS
0.08% (24% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-34411 is to upgrade Appsmith to version 1.98.0 or later, which includes the authentication fixes. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the vulnerable API endpoints using a web application firewall (WAF) or proxy server. Configure the WAF/proxy to block requests to /api/v1/consolidated-api/view and /api/v1/tenants/current that do not originate from trusted sources. Regularly review Appsmith's access control lists to ensure only authorized users have access to sensitive resources. After upgrading, confirm the fix by attempting to access the vulnerable endpoints with an unauthenticated request; the request should now be denied.
Appsmithをバージョン1.98.0以降にアップデートしてください。このバージョンは、インスタンス管理APIへの認証されていないアクセスを可能にする脆弱性を修正しています。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-34411 is a vulnerability in Appsmith versions 0.0–1.98.0 that allows unauthenticated attackers to retrieve sensitive configuration data and admin email hashes via exposed API endpoints.
You are affected if you are using Appsmith versions 0.0 through 1.98.0. Upgrade to 1.98.0 or later to mitigate the risk.
Upgrade Appsmith to version 1.98.0 or later. As a temporary workaround, restrict access to the vulnerable API endpoints using a WAF or proxy.
There is currently no indication of active exploitation, but the ease of access to the vulnerable endpoints warrants immediate attention.
Refer to the Appsmith security advisory for detailed information and updates: [https://appsmith.com/security](https://appsmith.com/security)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。