CVE-2026-55454
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API β€” which has no authentication by default β€” is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55454
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
appsmith appsmith to 2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Appsmith versions prior to 2.1, involving the bundled Caddy reverse-proxy's admin API which by default has no authentication and listens on 0.0.0.0:2019 inside the container.

Although this listener is not directly exposed to the host via docker-compose.yml, it can be accessed from the Appsmith server process itself or through a Server-Side Request Forgery (SSRF) vulnerability.

An authenticated low-privileged user can exploit the SSRF to send POST requests to the admin API, such as /load, allowing them to fully replace the live Caddy configuration and take control over the reverse proxy.

This issue is fixed in Appsmith version 2.1.

Impact Analysis

Exploitation of this vulnerability allows an authenticated low-privileged user to take over the Caddy reverse proxy by replacing its live configuration.

This can lead to complete compromise of the reverse proxy, potentially allowing attackers to intercept, modify, or redirect traffic, resulting in confidentiality, integrity, and availability impacts.

The CVSS score of 9.9 indicates a critical severity with high impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves the bundled Caddy reverse-proxy's admin API listening on 0.0.0.0:2019 inside the container without authentication. Detection can focus on checking if this port is accessible internally or if SSRF vulnerabilities exist that allow access to this port.

You can check if the Caddy admin API port is open inside the container by running commands such as:

  • Inside the Appsmith container, run: netstat -tuln | grep 2019
  • From the Appsmith server process or container, attempt to curl the admin API endpoint: curl http://0.0.0.0:2019/admin/api/endpoint

Additionally, test for SSRF vulnerabilities that might allow an authenticated low-privileged user to send POST requests to http://0.0.0.0:2019/load or other admin API calls.

Mitigation Strategies

The vulnerability is fixed in Appsmith version 2.1. The immediate mitigation step is to upgrade Appsmith to version 2.1 or later.

Until the upgrade can be performed, consider restricting access to the Caddy admin API port (2019) inside the container and ensure that SSRF vulnerabilities are not exploitable by low-privileged users.

Also, review and harden the docker-compose.yml configuration to avoid exposing the admin API port to the host or other untrusted networks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart