Skip to content
July 13, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Vulnerability Report
  • Critical Appsmith Flaw CVE-2026-22794 Allows Account Takeover
  • Vulnerability Report

Critical Appsmith Flaw CVE-2026-22794 Allows Account Takeover

Do Son January 14, 2026 3 minutes read
0
CVE-2026-24042 Appsmith Vulnerability CVE-2026-22794
Add Daily CyberSecurity as a preferred source on Google

A critical vulnerability has been discovered in Appsmith, the popular open-source platform used by organizations to build internal dashboards and admin panels. Tracked as CVE-2026-22794, the flaw carries a near-maximum CVSS score of 9.7, allowing remote attackers to hijack user accounts by simply manipulating a single HTTP header.

The vulnerability stems from a dangerous lack of validation in how the platform handles password reset and email verification requests. By exploiting this oversight, an attacker can trick the server into sending sensitive authentication tokens directly to a domain they control.

The core of the issue lies in how Appsmith generates links for emails. According to the disclosure, “The server uses the Origin value from the request headers as the email link baseUrl without validation”.

In a secure implementation, the server should rely on a fixed, trusted configuration for its domain name. However, the vulnerable versions of Appsmith blindly trust the Origin header provided in the incoming request. This means an attacker can send a password reset request for a victim’s email address but manipulate the header to point to a malicious site (e.g., https://attacker-controlled-site.com).

The exploitation process is alarmingly simple and requires no advanced access:

  1. An attacker initiates a password reset for a target user but sets the Origin header to their own malicious domain .
  2. The server generates a legitimate password reset token but constructs the link using the attacker’s domain as the base. The email sent to the victim looks like: https://[attacker-domain]/user/resetPassword?token=….
  3. When the unsuspecting victim clicks the link in the official email, their browser sends a request to the attacker’s server, leaking the valid reset token.
  4. Armed with the token, the attacker can reset the password and “gain access to the account”.

Because Appsmith is designed to connect to internal databases, APIs, and business logic, a compromised account can have devastating consequences. The report warns of Account Takeover, where attackers gain full control of the victim’s profile, and Personal Information Exposure, putting user data at risk.

Furthermore, the vulnerability opens the door to Phishing and Malicious Redirection, leveraging the trust users have in legitimate system emails to lure them into traps.

The vulnerability affects Appsmith version 1.92. The development team has released a fix in version 1.93, which properly validates the base URL generation .

Administrators running self-hosted instances of Appsmith are urged to upgrade immediately. Given the high CVSS score and the ease of exploitation, this vulnerability represents a significant risk to the internal security of organizations relying on the platform.

Related Posts:

  • CVE-2024-55963: Appsmith’s Default PostgreSQL Misconfiguration Leads to RCE, PoC Releases
  • Beyond HTML: The Hidden Danger of Phishing in HTTP Response Headers
  • Multiple Security Vulnerabilities Plague PHP, Exposing Applications to Risk
  • CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Active Exploitation in the Wild: Critical Qinglong Bypasses Fuel Covert Cryptomining Campaign
  • GPU Security Alert: NVIDIA Drivers Hit with Critical 8.8 CVSS Flaw and Enterprise vGPU Bugs
  • Microsoft Exchange Vulnerability CVE-2026-45504 Gets Public PoC Exploit
  • SuiteCRM SQL Injection Flaws (CVE-2025-64492, CVE-2025-64493) Expose Customer Data
  • Google’s Big Sleep AI Foils Live Zero-Day Exploit in SQLite (CVE-2025-6965)
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Account Takeover API security Appsmith CVE-2026-22794 host header injection Low Code Platform Open Source Security Password Reset Vulnerability

Leave a Reply Cancel reply

You must be logged in to post a comment.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-14453CVSS 9.6
    This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets...
  • CVE-2026-59518CVSS 9.8
    Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This...
  • CVE-2026-59515CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57813CVSS 9.8
    Incorrect Privilege Assignment vulnerability in properfraction MailOptin mailoptin allows Privilege Escalation.This issue...
  • CVE-2026-57811CVSS 10.0
    Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna...
  • CVE-2026-57770CVSS 9.8
    Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object...
  • CVE-2026-57744CVSS 9.8
    Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions...
  • CVE-2026-57739CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57738CVSS 9.8
    Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This...
  • CVE-2026-57726CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.