Appsmith · Appsmith · CVE-2026-22794
**Appsmith and Affected Versions**
Appsmith versions prior to 1.93
**Description**
Appsmith, a platform for building admin panels and internal tools, has a critical issue where the server uses the `Origin` header from requests without proper validation when generating email links for password resets and email verification. An attacker who controls the `Origin` header can manipulate these links to point to their own domain. This allows them to intercept authentication tokens, potentially leading to complete account takeover, including administrative accounts. The issue stems from improper input validation (CWE-20). Approximately 6,000 instances are exposed. Attackers can send crafted requests with malicious `Origin` headers, poison password reset/verification emails, capture valid reset tokens, reset passwords, and gain full account control. The vulnerability affects internet-facing and internally reachable self-hosted Appsmith instances. The API endpoint responsible for generating these links is not explicitly mentioned, but the vulnerability involves the manipulation of the `Origin` header in requests related to password reset and email verification.
**Recommendations**
Upgrade to Appsmith version 1.93 or later immediately.
As a mitigation, strip or validate `Origin` headers at a reverse proxy or Web Application Firewall (WAF).
Audit password reset requests for abnormal `Origin` headers and investigate any unexpected password changes.