HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55454Published Modified CNA GitHub_M

CVE-2026-55454: Appsmith: Caddy admin API exposed without authentication

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication-bypass-via-SSRF vulnerability in Appsmith allows an authenticated low-privileged user to reach the bundled Caddy reverse-proxy admin API, which listens on 0.0.0.0:2019 inside the container with no authentication of its own. The attacker drives a server-side request forgery (SSRF) from the Appsmith server process to issue arbitrary admin API calls against Caddy, fully replacing its live configuration. Successful exploitation gives the attacker complete control over the reverse proxy, enabling traffic interception, redirection, and credential theft across all traffic the proxy handles. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Appsmith or derive from its base layers. Any image containing an affected version of appsmithorg/appsmith is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.9 Critical and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules for the affected image or workload.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment appsmithorg/appsmith 2.1 or a later fix release is published. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Appsmith application over the network to authenticate and trigger the SSRF that proxies requests to the internal Caddy admin API.

  • AuthenticationRequired

    Any low-privilege account in Appsmith is sufficient; no admin rights are needed to drive the SSRF toward the unauthenticated Caddy admin endpoint.

  • Victim interactionNot required

    No victim action is required; the attacker makes direct API calls to Appsmith and the SSRF is triggered entirely by the attacker.

  • Attack complexityDetail

    The exploit is reliable and condition-free: no race conditions or special memory layout are required, just valid low-privilege credentials and knowledge of the internal Caddy admin path.

Blast Radius

  • Attacker replaces the live Caddy reverse-proxy configuration, redirecting all proxied HTTP/S traffic to attacker-controlled destinations and intercepting credentials and session tokens in transit.
  • Attacker can disable TLS termination or inject malicious upstream definitions, breaking service availability for every application behind the reverse proxy.
  • With full Caddy config control, the attacker can exfiltrate internal routing topology and backend service addresses that would otherwise be invisible to a low-privileged user.
  • Scope is marked Changed in the CVSS vector, meaning impact extends beyond the Appsmith container itself to any backend services and users whose traffic passes through the compromised proxy.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all images containing appsmithorg/appsmith below version 2.1, including images built on top of Appsmith base layers. Because no upstream patch exists yet, HarborGuard re-checks the advisory on every ingest cycle and will automatically queue a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment appsmithorg/appsmith 2.1 is published. While awaiting the upstream fix, HarborGuard recommends applying compensating controls: use network policy to block egress from the Appsmith container to 0.0.0.0:2019 except from expected internal callers, restrict inbound access to the Appsmith application to trusted users only to reduce the population of accounts that can trigger the SSRF, and consider feature-flag gating or WAF rules that block requests to paths known to proxy internal admin API calls. These controls do not eliminate the vulnerability but reduce the attack surface until the official patch is available.

See how HarborGuard automates this
Affected packages
  • appsmithorg / appsmith
    < 2.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References