CVE-2026-24042

CVSS v3.1

9.8

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Appsmith and Affected Versions Appsmith versions 1.94 and below

Description Appsmith is a platform used for building admin panels, internal tools, and dashboards. Publicly accessible applications in versions 1.94 and below are susceptible to a bypass of the expected publish boundary. Unauthenticated users can execute unpublished (edit-mode) actions by sending

viewMode=false

or omitting the

viewMode

parameter in a POST request to the

/api/v1/actions/execute

API endpoint. This allows execution of edit-mode queries and APIs, potentially leading to sensitive data exposure, development data access, and the triggering of unintended side effects. Reports indicate over 6,000 instances are exposed.

API Endpoints:

/api/v1/actions/execute

Vulnerable Parameters or Variables:

viewMode

Recommendations Versions prior to 1.95 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BIT-APPSMITH-2026-24042

CVE-2026-24042

GHSA-J9QQ-4FJ9-9883

Affected Products

Appsmith

CVE-2026-24042

Weakness Enumeration

Related Identifiers

Affected Products

References · 16