Reverse-Proxy Takeover Flaw in Low-Code Platform Appsmith (CVE-2026-55454) — Update to v2.1

Appsmith, a popular low-code platform for quickly building internal business apps, has been found to contain a vulnerability (a software flaw) that lets a low-privilege user take over the server's traffic gateway. It is tracked as CVE-2026-55454, with a severity of 9.9 out of 10 (Critical).

The affected versions are those before 2.1. It was reported by GitHub and disclosed on June 24, 2026. The fix is included in 2.1. The admin endpoint of the traffic router (reverse proxy) bundled with Appsmith was open without authentication, and a logged-in regular user can combine it with a technique that connects behind the scenes to the server's internals (SSRF) to take over that router wholesale, so if you self-host Appsmith you need to update.

What kind of service is Appsmith?

Appsmith is a low-code platform for quickly building internal admin panels and business apps by dragging and dropping components, connected to databases and APIs. It lets you prepare "tools just for your company"—inquiry management, inventory, customer support—faster than building from scratch. It is open source (Apache 2.0 license), can be installed on your own server, has over 40,000 stars on GitHub, and is used at companies such as GSK, Twilio, and Dropbox.

When you run Appsmith yourself, a component called a "reverse proxy" (Caddy) ships with it and runs, receiving all user traffic and routing it to the internal features. This flaw is that the management function of this important component—the traffic gateway—was defenseless.

Who targets it, what they do, and what happens

The targets are environments that self-host Appsmith and hand accounts to outsiders or many employees. The attack needs not administrator privileges but only the login of a low-privilege regular user. Risk is higher where anyone can register or where accounts are given to outside collaborators.

What an attacker does is connect behind the scenes through Appsmith to an internal management address, operate the unauthenticated reverse-proxy management function, and rewrite the traffic-routing configuration wholesale. Concretely, they reach the management endpoint that was open without authentication at "0.0.0.0:2019" inside the container and replace the configuration.

Once the traffic router is taken over, it becomes a foothold to dominate all of Appsmith: routing users' traffic to the attacker's server, returning fake responses, and freely accessing internal features. Internal business data and even the credentials of connected databases and APIs come under threat. Inspecting the components and services you bring in from outside is worth revisiting alongside the ideas in our OSS supply-chain scanner overview. Vulnerabilities that begin to be used in attacks can be tracked in our CISA KEV Dashboard (Japanese edition).

What the vulnerability is

The problem is the combination of a management endpoint that should never be reachable from outside being open without authentication and the fact that it could be reached through Appsmith.

CVE-2026-55454: operating the unauthenticated proxy management function via SSRF to take over (CVSS 9.9)

According to the published information, the management API (endpoint) of the reverse proxy (Caddy) bundled with Appsmith was listening without authentication at "0.0.0.0:2019" inside the container. A low-privilege logged-in user can reach this management API by combining it with a technique (SSRF) that abuses Appsmith's feature for accessing external URLs to connect behind the scenes to the server's internals. From there they can fully replace the live proxy configuration and take over the traffic router. In the fixed version 2.1, reaching this management function is blocked.

A quick check of whether you are affected

Affected are versions before 2.1, fixed in 2.1. The risk is higher for self-hosted environments that hand accounts to multiple users. You can check your version in the admin panel.

The attack precondition is "the login of a low-privilege user." Take care that setups where anyone can register, or where accounts are given to outsiders, widen the attack's entry point.

What to do now

The top priority is to update Appsmith to 2.1 or later. Get the latest version from the official releases.

If you cannot update immediately, useful mitigations are to tighten unnecessary account registration, review the privileges given to outside collaborators, and isolate the network so the internal management port (2019) cannot be reached from outside or via Appsmith. Also inspect for any suspicious changes to the traffic-routing (proxy) configuration and any unfamiliar access. If a takeover is suspected, rotate the credentials of connected databases and APIs.

Summary

Appsmith's CVE-2026-55454 is a vulnerability in which the management API of the bundled reverse proxy (Caddy) was open without authentication, letting a low-privilege user combine it with SSRF to take over the traffic router. Its severity is CVSS 9.9, it affects versions before 2.1, and it is fixed in 2.1.

Once the traffic gateway is seized, all of Appsmith and the connected business data and databases come under threat. If you self-host it, first check your version and, if it is old, update now. If new vulnerabilities concerning Appsmith emerge, we will track them by adding to this article.

References

• ▸NVD - CVE-2026-55454 (Appsmith bundled-proxy management API takeover)
• ▸Appsmith Security Advisories (GitHub, reporter)
• ▸GitHub - appsmithorg/appsmith releases (2.1)
• ▸Appsmith official site (product overview, adopters)
• ▸CISA KEV Dashboard (Japanese edition)