Public Yet Private? Critical Appsmith Flaw Exposes Unpublished Actions (CVSS 9.4)

A critical security flaw has been discovered in Appsmith, the popular open-source platform used by organizations worldwide to build internal tools like dashboards and admin panels. The vulnerability, tracked as CVE-2026-24042, carries a critical CVSS score of 9.4, potentially exposing sensitive development data and unpublished logic to the public.

Appsmith is a go-to tool for developers looking to “rapidly development of these applications,” allowing them to connect databases, write business logic, and drag-and-drop UIs with ease . However, a lapse in how the platform handles public applications has created a dangerous loophole.

The vulnerability centers on a “viewMode confusion” error. In a standard setup, public viewers of an app should only be able to execute actions that have been officially published. However, researchers found that the system failed to enforce this boundary strictly.

“Publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute,” the advisory explains.

By simply manipulating a web request, an unauthenticated user could bypass the “expected publish boundary,” tricking the system into running code that was meant to stay in the development or edit phase.

The implications of this bypass are severe. It effectively blurs the line between a secure, public-facing tool and its raw, potentially sensitive backend logic. The impact includes:

• Unauthorized Execution: Attackers can run “edit-mode queries and APIs” that were never meant for public consumption.
• Data Leakage: Sensitive data hidden in unpublished actions could be exposed.
• Unintended Write Access: Malicious actors could “trigger side effects (write operations, external API calls)” or modify development data sources.

This vulnerability specifically affects applications that are “published and made public”. Organizations using Appsmith v1.94 are vulnerable and should take immediate action.

The development team has released a patch to close this loophole. Users are strongly advised to upgrade to version v1.95 or later to ensure their internal tools remain internal.

Related Posts:

• Critical Appsmith Flaw CVE-2026-22794 Allows Account Takeover
• CVE-2024-55963: Appsmith’s Default PostgreSQL Misconfiguration Leads to RCE, PoC Releases
• Zero-Day Vulnerability: 18 Years of Exploiting the ‘0.0.0.0’ Flaw
• Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy