CVE-2026-24042CRITICAL 9.8EPSS p43.0%

CVE-2026-24042CVE-2026-24042

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.58% probability of exploitation · percentile 43.0% · 2026-06-19T12:03:05Z
Published2026-01-22
Last modified2026-02-17

Underlying weaknesses· 1

CWE-862

References

  1. https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-30862
CVE
CVE-2026-7299
CVE
CVE-2026-22794
CVE
CVE-2026-20960
CVE
CVE-2026-24096
CVE
CVE-2025-9223
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.