Appsmith low-code platform authentication flaw (CVE-2026-22794)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-22794 puts Appsmith version 1.x deployments up to 1.92 at risk of account takeover through a password-reset flaw. Attackers can abuse the client-controlled HTTP Origin header to redirect reset tokens to attacker infrastructure. The vulnerability has been exploited in the wild, while Appsmith 2.x is not vulnerable.
Timeline
-
22.01.2026 18:00 2 articles · 4mo ago
Appsmith CVE-2026-22794 password reset flaw disclosed with active exploitation
Initial DisclosureCVE-2026-22794 in the Appsmith low-code platform lets attackers abuse the client-supplied HTTP Origin header during password resets to redirect reset tokens to attacker infrastructure, then use the exposed token to set a new password and take over user accounts. Resecurity-referenced internet scanning data indicates 1666 Appsmith instances are publicly accessible, affected 1.x releases include versions up to 1.92, and Appsmith 2.x versions are not vulnerable.
Show sources
- Critical Appsmith Flaw Enables Account Takeovers — www.infosecurity-magazine.com — 22.01.2026 18:00
- Critical Appsmith Flaw Enables Account Takeovers — www.infosecurity-magazine.com — 22.01.2026 18:00