{"id":"CVE-2026-55454","summary":"Appsmith: Caddy admin API exposed without authentication","details":"Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.","aliases":["BIT-appsmith-2026-55454","GHSA-8jvv-gwqg-6vjc"],"modified":"2026-07-08T08:26:30.682931749Z","published":"2026-06-24T21:38:07.844Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55454.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-1188","CWE-749"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55454.json"},{"type":"ADVISORY","url":"https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55454"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/appsmithorg/appsmith","events":[{"introduced":"0"},{"fixed":"9293a9b5a19b948f0c06cb33ac053bcaaf62144b"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.1"}]}}],"versions":["v2.0","v1.99","v1.98","v1.97","v1.96","v1.95","v1.94","v1.93","v1.92","v1.91","v1.90","v1.89","v1.88","v1.86","v1.85","v1.84","v1.83","v1.82","v1.81","v1.80","v1.79","v1.78","v1.77","v1.76","v1.75","v1.74","v1.73","v1.72","v1.71","v1.70","v1.69","v1.68","v1.67","v1.66","v1.65","v1.64","v1.63","v1.62","v1.61","v1.60","v1.59","v1.58","v1.57","v1.56","v1.55","v1.54","v1.53","v1.52","v1.49","v1.48","v1.51","v1.50","v1.47","v1.46","v1.45","v1.44","v1.43","v1.42","v1.41","v1.40","v1.39","v1.38.1","v1.38","v1.37","v1.36","v1.35","v1.34","v1.33","v1.32","v1.31","v1.30","v1.29","v1.28","v1.27","v1.26","v1.25","v1.24","v1.23","v1.22.1","V1.22","v1.21","v1.20","v1.19","v1.18","v1.17","v1.16","v1.15","v1.14","v1.13","v1.12","v1.11","v1.10","v1.9.61","v1.9.60","v1.9.58","v1.9.57","v1.9.56","v1.9.55","v1.9.54","v1.9.53","v1.9.52","v1.9.51","v1.9.50","v1.9.49","v1.9.48","v1.9.47","v1.9.46","v1.9.45","v1.9.44","v1.9.43","v1.9.42","v1.9.41","v1.9.40","v1.9.39","v1.9.38","v1.9.37.1","v1.9.37","v1.9.36","v1.9.35","v1.9.34","v1.9.33","v1.9.32","v1.9.31","v1.9.30","v1.9.29","v1.9.28","v1.9.27","v1.9.26","v1.9.25","v1.9.24","v1.9.23","v1.9.22","v1.9.21","v1.9.20.4","v1.9.20.3","v1.9.20.2","v1.9.20","v1.9.19","v1.9.18","v1.9.17","v1.9.16","v1.9.15","v1.9.14","v1.9.13","v1.9.12","v1.9.11","v1.9.10","v1.9.9","v1.9.8","v1.9.7","v1.9.6","v1.9.5","v1.9.4","v1.9.3.1","v1.9.3","v1.9.2","v1.9.1","v1.9.0","v1.8.15","v1.8.14.1","v1.8.14","v1.8.13","v1.8.12","v1.8.11","v1.8.10","v1.8.9","v1.8.8","v1.8.7","v1.8.6","v1.7.11","v1.8.5","v1.8.4","v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.14","v1.7.13","v1.7.12","v1.7.10","v1.7.9","v1.7.8","v1.7.7","v1.7.6","v1.7.5","v1.7.4","v1.7.1","v1.7.0","v.1.6.25","v.1.6.23","v1.6.21","v1.6.20","v1.6.19","v1.6.18","v1.6.17","v1.6.16","v1.6.15","v1.6.14","v1.6.13","v1.6.12","v1.6.11","v1.6.10","v1.6.9","v1.6.8","v1.6.7","v1.6.6","v1.6.5","v1.6.4","v1.6.3","v1.5.17","v1.4.4","v1.4.3","v1.2.16","v1.2.4","v1.2.2","v1.2.1","v1.2","v1.1","v1.0.2","v1.0.1","v1.0","v1.0-beta.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55454.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}