CVE-2026-24042

Appsmith and Affected Versions Appsmith versions 1.94 and below

Description Appsmith is a platform used for building admin panels, internal tools, and dashboards. Publicly accessible applications in versions 1.94 and below are susceptible to a bypass of the expected publish boundary. Unauthenticated users can execute unpublished (edit-mode) actions by sending viewMode=false or omitting the viewMode parameter in a POST request to the /api/v1/actions/execute API endpoint. This allows execution of edit-mode queries and APIs, potentially leading to sensitive data exposure, development data access, and the triggering of unintended side effects. Reports indicate over 6,000 instances are exposed.

API Endpoints: /api/v1/actions/execute

Vulnerable Parameters or Variables: viewMode

Recommendations Versions prior to 1.95 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.