CVE-2026-34411

Name of the Vulnerable Software and Affected Versions Appsmith versions prior to 1.98

Description Sensitive instance management API endpoints are exposed without authentication. Unauthenticated attackers can query endpoints such as '/api/v1/consolidated-api/view' and '/api/v1/tenants/current' to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

Recommendations Update to version 1.98 or later.