CVE-2026-24042
Unauthorized Action Execution in Appsmith Public Apps (Pre
Publication date: 2026-01-22
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| appsmith | appsmith | to 1.94 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Appsmith version 1.94 and below allows unauthenticated users to execute unpublished (edit-mode) actions by sending a request with 'viewMode=false' or omitting this parameter to the POST /api/v1/actions/execute endpoint. Normally, public users should only be able to execute published actions, but this flaw bypasses that restriction. As a result, attackers can run edit-mode queries and APIs, access development data, trigger side effects like write operations or external API calls, and expose sensitive data from unpublished actions. The root cause is missing authorization checks. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized execution of edit-mode actions, exposing sensitive data and development information. Attackers can modify data, trigger side effects such as write operations or external API calls, and potentially compromise the integrity and confidentiality of the application. This can result in data breaches, unauthorized data manipulation, and other security risks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring for POST requests to the endpoint /api/v1/actions/execute that include the parameter viewMode=false or omit the viewMode parameter entirely. For example, using network traffic analysis tools or web server logs, look for unauthenticated POST requests to this endpoint with these characteristics. A sample command using curl to test for the vulnerability might be: curl -X POST https://your-appsmith-instance/api/v1/actions/execute -d '{}' -H 'Content-Type: application/json' (omitting viewMode) or curl -X POST https://your-appsmith-instance/api/v1/actions/execute -d '{"viewMode":false}' -H 'Content-Type: application/json'. Detection involves checking if such requests succeed in executing unpublished actions without authentication. [1]
What immediate steps should I take to mitigate this vulnerability?
Since there is no released fix available at the time of publication, immediate mitigation steps include restricting public access to the affected Appsmith applications, especially those that are publicly accessible and published. You should implement network-level access controls such as IP whitelisting or VPN requirements to limit who can reach the application. Additionally, monitor and block suspicious POST requests to /api/v1/actions/execute that include viewMode=false or omit the parameter. Consider disabling or restricting the execution of unpublished (edit-mode) actions until a patch is released. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive data and execution of unpublished actions, leading to potential exposure and modification of confidential information. Such unauthorized data exposure and integrity violations can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. [1]