{"id":"CVE-2026-34411","summary":"Appsmith \u003c 1.98 Unauthenticated Instance Configuration Disclosure via Management APIs","details":"Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.","aliases":["BIT-appsmith-2026-34411","GHSA-qvvc-prjx-f85j"],"modified":"2026-07-08T08:12:50.105847737Z","published":"2026-03-27T16:24:16.385Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34411.json","unresolved_ranges":[{"extracted_events":[{"fixed":"1.98.0"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"VulnCheck","cwe_ids":["CWE-306"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34411.json"},{"type":"ADVISORY","url":"https://github.com/appsmithorg/appsmith/security/advisories/GHSA-qvvc-prjx-f85j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34411"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/appsmith-unauthenticated-instance-configuration-disclosure-via-management-apis"},{"type":"PACKAGE","url":"https://github.com/appsmithorg/appsmith"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/appsmithorg/appsmith","events":[{"introduced":"0"},{"fixed":"0d2a7af63d473535e0bf43d44f9f03323ead411c"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.98"}]}}],"versions":["v1.97","v1.96","v1.95","v1.94","v1.93","v1.92","v1.91","v1.90","v1.89","v1.88","v1.86","v1.85","v1.84","v1.83","v1.82","v1.81","v1.80","v1.79","v1.78","v1.77","v1.76","v1.75","v1.74","v1.73","v1.72","v1.71","v1.70","v1.69","v1.68","v1.67","v1.66","v1.65","v1.64","v1.63","v1.62","v1.61","v1.60","v1.59","v1.58","v1.57","v1.56","v1.55","v1.54","v1.53","v1.52","v1.49","v1.48","v1.51","v1.50","v1.47","v1.46","v1.45","v1.44","v1.43","v1.42","v1.41","v1.40","v1.39","v1.38.1","v1.38","v1.37","v1.36","v1.35","v1.34","v1.33","v1.32","v1.31","v1.30","v1.29","v1.28","v1.27","v1.26","v1.25","v1.24","v1.23","v1.22.1","V1.22","v1.21","v1.20","v1.19","v1.18","v1.17","v1.16","v1.15","v1.14","v1.13","v1.12","v1.11","v1.10","v1.9.61","v1.9.60","v1.9.58","v1.9.57","v1.9.56","v1.9.55","v1.9.54","v1.9.53","v1.9.52","v1.9.51","v1.9.50","v1.9.49","v1.9.48","v1.9.47","v1.9.46","v1.9.45","v1.9.44","v1.9.43","v1.9.42","v1.9.41","v1.9.40","v1.9.39","v1.9.38","v1.9.37.1","v1.9.37","v1.9.36","v1.9.35","v1.9.34","v1.9.33","v1.9.32","v1.9.31","v1.9.30","v1.9.29","v1.9.28","v1.9.27","v1.9.26","v1.9.25","v1.9.24","v1.9.23","v1.9.22","v1.9.21","v1.9.20.4","v1.9.20.3","v1.9.20.2","v1.9.20","v1.9.19","v1.9.18","v1.9.17","v1.9.16","v1.9.15","v1.9.14","v1.9.13","v1.9.12","v1.9.11","v1.9.10","v1.9.9","v1.9.8","v1.9.7","v1.9.6","v1.9.5","v1.9.4","v1.9.3.1","v1.9.3","v1.9.2","v1.9.1","v1.9.0","v1.8.15","v1.8.14.1","v1.8.14","v1.8.13","v1.8.12","v1.8.11","v1.8.10","v1.8.9","v1.8.8","v1.8.7","v1.8.6","v1.7.11","v1.8.5","v1.8.4","v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.14","v1.7.13","v1.7.12","v1.7.10","v1.7.9","v1.7.8","v1.7.7","v1.7.6","v1.7.5","v1.7.4","v1.7.1","v1.7.0","v.1.6.25","v.1.6.23","v1.6.21","v1.6.20","v1.6.19","v1.6.18","v1.6.17","v1.6.16","v1.6.15","v1.6.14","v1.6.13","v1.6.12","v1.6.11","v1.6.10","v1.6.9","v1.6.8","v1.6.7","v1.6.6","v1.6.5","v1.6.4","v1.6.3","v1.5.17","v1.4.4","v1.4.3","v1.2.16","v1.2.4","v1.2.2","v1.2.1","v1.2","v1.1","v1.0.2","v1.0.1","v1.0","v1.0-beta.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34411.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}