CVE-2026-50189
Analyzed Analyzed - Analysis Complete

Authenticated Command Execution in Appsmith via Supervisord XML-RPC

Vulnerability report for CVE-2026-50189, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
appsmith appsmith to 2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Appsmith versions prior to 2.1. The issue arises because Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, which is accessible from outside the container through a Caddy reverse-proxy route at /supervisor/* on the public ingress.

Additionally, the APPSMITH_SUPERVISOR_PASSWORD is exposed via a GET request to /api/v1/admin/env. This means that any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute operating system commands inside the Docker container using the twiddler.addProgramToGroup method.

This vulnerability allows for remote command execution within the container, which is a serious security risk. The issue was fixed in Appsmith version 2.1.

Impact Analysis

This vulnerability can have significant impacts including unauthorized execution of operating system commands inside the Docker container running Appsmith.

An authenticated administrator could exploit this to run arbitrary commands, potentially leading to data compromise, service disruption, or further escalation of privileges within the environment.

Because the XML-RPC interface is exposed publicly via the reverse proxy, it increases the attack surface and risk of exploitation.

Mitigation Strategies

The vulnerability is fixed in Appsmith version 2.1. Immediate mitigation involves upgrading Appsmith to version 2.1 or later.

Additionally, restricting access to the supervisord XML-RPC interface on port 9001 and the /supervisor/* route exposed via the Caddy reverse-proxy can help reduce exposure.

Ensure that the APPSMITH_SUPERVISOR_PASSWORD is not exposed via the GET /api/v1/admin/env endpoint to prevent unauthorized authenticated administrators from exploiting the vulnerability.

Compliance Impact

This vulnerability allows an authenticated administrator to execute arbitrary OS commands within the Docker container, potentially leading to unauthorized access, data manipulation, or system compromise.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security.

Because the vulnerability affects confidentiality, integrity, and availability, organizations using affected versions of Appsmith may face increased risk of non-compliance if exploited.

Detection Guidance

This vulnerability can be detected by checking if the supervisord XML-RPC interface is exposed on port 9001 and accessible externally via the Caddy reverse-proxy route at /supervisor/*. Additionally, verifying if the APPSMITH_SUPERVISOR_PASSWORD is accessible through the admin-only endpoint GET /api/v1/admin/env can indicate susceptibility.

Suggested commands to detect exposure include:

  • Use a network scanning tool like nmap to check if port 9001 is open and reachable: nmap -p 9001 <target-ip>
  • Attempt to access the supervisord XML-RPC interface via HTTP to see if it responds: curl http://<target-ip>:9001/RPC2
  • Check if the Caddy reverse-proxy route is exposing the interface publicly: curl http://<target-domain>/supervisor/
  • Verify if the APPSMITH_SUPERVISOR_PASSWORD is exposed by querying the admin environment endpoint (requires admin authentication): curl -H "Authorization: Bearer <admin-token>" http://<target-domain>/api/v1/admin/env

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart