CVE-2026-5418
Received Received - Intake
Server-Side Request Forgery in Appsmith Dashboard Component

Publication date: 2026-04-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.99 is recommended to address this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5418
EUVD
EUVD-2026-18518
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
appsmithorg appsmith to 1.97 (inc)
appsmithorg appsmith to 1.97 (exc)
appsmithorg appsmith to 1.92 (inc)
appsmithorg appsmith 1.99
appsmithorg appsmith to 1.92 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5418 is a Server-Side Request Forgery (SSRF) vulnerability found in Appsmith versions up to 1.97, specifically in the computeDisallowedHosts function of the WebClientUtils Java utility class. The vulnerability arises because the application uses a static blacklist of disallowed hosts based on exact string matching without proper range-based validation for user-supplied URLs. This allows attackers to bypass the blacklist and make the server send HTTP requests to internal network resources such as private IP ranges, localhost, internal Kubernetes services, or cloud metadata endpoints.

The blacklist does not cover entire private IP ranges or perform subnet checks, and its logic depends on environment variables, weakening security on non-Docker hosts. This flaw enables attackers to coerce the server into making unintended requests to internal services, potentially exposing sensitive information or enabling further attacks.

Compliance Impact

The vulnerability allows attackers to perform server-side request forgery (SSRF) to access internal network services, including sensitive internal admin interfaces, databases, and cloud metadata endpoints. This can lead to unauthorized access to sensitive information, credential theft, and potential privilege escalation.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data. The SSRF vulnerability increases the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these standards.

Therefore, until the vulnerability is patched by upgrading to Appsmith version 1.99, affected deployments may face increased risk of non-compliance with these regulations due to potential data exposure and insufficient access controls.

Impact Analysis

This SSRF vulnerability can have several impacts including unauthorized access to internal network services, leading to information disclosure or privilege escalation.

  • Attackers can access internal admin interfaces, databases, or service endpoints.
  • In Kubernetes deployments, attackers may access the Kubernetes API server, retrieve ServiceAccount tokens, and manipulate cluster resources.
  • Attackers might exfiltrate sensitive configuration files, credentials, or metadata, especially in misconfigured environments.
  • Cloud metadata endpoints can be accessed, potentially leading to credential theft or privilege escalation.
Detection Guidance

This vulnerability involves Server-Side Request Forgery (SSRF) due to insufficient validation of server-side HTTP requests in Appsmith versions up to 1.97. Detection involves monitoring for unusual outbound HTTP requests from the Appsmith server to internal or sensitive IP ranges such as private IP ranges (10.0.0.0/8), localhost (127.0.0.1), Kubernetes cluster service names (e.g., kubernetes.default.svc), or cloud metadata endpoints.

You can detect potential exploitation by inspecting network traffic or logs for unexpected requests to these internal resources.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP requests from the Appsmith server.
  • Example tcpdump command to capture HTTP traffic from the server: sudo tcpdump -i <interface> tcp port 80 or tcp port 443 -w ssrf_capture.pcap
  • Check application logs for HTTP requests made by Appsmith to internal IPs or hostnames.
  • Use curl or wget commands on the server to test if internal endpoints are reachable, e.g., curl http://127.0.0.1 or curl http://kubernetes.default.svc

Since the vulnerability exploits weak host validation, attempts to access internal or cloud metadata endpoints via Appsmith may indicate exploitation.

Mitigation Strategies

The primary mitigation step is to upgrade the affected Appsmith component to version 1.99 or later, where the vulnerability has been fixed by improving host validation and removing reliance on static blacklists.

  • Upgrade Appsmith to version 1.99 or newer as soon as possible.
  • If immediate upgrade is not possible, restrict network access from the Appsmith server to internal IP ranges and cloud metadata endpoints using firewall rules or network segmentation.
  • Monitor logs and network traffic for suspicious outbound requests indicative of SSRF exploitation.

These steps reduce the risk of SSRF exploitation until the fixed version can be deployed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5418. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart