CVE-2026-22794

Appsmith and Affected Versions Appsmith versions prior to 1.93

Description Appsmith, a platform for building admin panels and internal tools, has a critical issue where the server uses the Origin header from requests without proper validation when generating email links for password resets and email verification. An attacker who controls the Origin header can manipulate these links to point to their own domain. This allows them to intercept authentication tokens, potentially leading to complete account takeover, including administrative accounts. The issue stems from improper input validation (CWE-20). Approximately 6,000 instances are exposed. Attackers can send crafted requests with malicious Origin headers, poison password reset/verification emails, capture valid reset tokens, reset passwords, and gain full account control. The vulnerability affects internet-facing and internally reachable self-hosted Appsmith instances. The API endpoint responsible for generating these links is not explicitly mentioned, but the vulnerability involves the manipulation of the Origin header in requests related to password reset and email verification.

Recommendations Upgrade to Appsmith version 1.93 or later immediately. As a mitigation, strip or validate Origin headers at a reverse proxy or Web Application Firewall (WAF). Audit password reset requests for abnormal Origin headers and investigate any unexpected password changes.