Executive Summary

This vulnerability in Appsmith version 1.94 and below allows unauthenticated users to execute unpublished (edit-mode) actions by sending a request with 'viewMode=false' or omitting this parameter to the POST /api/v1/actions/execute endpoint. Normally, public users should only be able to execute published actions, but this flaw bypasses that restriction. As a result, attackers can run edit-mode queries and APIs, access development data, trigger side effects like write operations or external API calls, and expose sensitive data from unpublished actions. The root cause is missing authorization checks. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized execution of edit-mode actions, exposing sensitive data and development information. Attackers can modify data, trigger side effects such as write operations or external API calls, and potentially compromise the integrity and confidentiality of the application. This can result in data breaches, unauthorized data manipulation, and other security risks. [1]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by monitoring for POST requests to the endpoint /api/v1/actions/execute that include the parameter viewMode=false or omit the viewMode parameter entirely. For example, using network traffic analysis tools or web server logs, look for unauthenticated POST requests to this endpoint with these characteristics. A sample command using curl to test for the vulnerability might be: curl -X POST https://your-appsmith-instance/api/v1/actions/execute -d '{}' -H 'Content-Type: application/json' (omitting viewMode) or curl -X POST https://your-appsmith-instance/api/v1/actions/execute -d '{"viewMode":false}' -H 'Content-Type: application/json'. Detection involves checking if such requests succeed in executing unpublished actions without authentication. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Since there is no released fix available at the time of publication, immediate mitigation steps include restricting public access to the affected Appsmith applications, especially those that are publicly accessible and published. You should implement network-level access controls such as IP whitelisting or VPN requirements to limit who can reach the application. Additionally, monitor and block suspicious POST requests to /api/v1/actions/execute that include viewMode=false or omit the parameter. Consider disabling or restricting the execution of unpublished (edit-mode) actions until a patch is released. [1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to sensitive data and execution of unpublished actions, leading to potential exposure and modification of confidential information. Such unauthorized data exposure and integrity violations can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. [1]

Useful 0 Not Useful 0