CVE-2026-50189
CVE-2026-50189
8.9
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- Present
- Privileges Required
- High
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- High
Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.
References
security-advisories@github.com
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-v49v-673j-g4vj134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/appsmithorg/appsmith/security/advisories/GHSA-v49v-673j-g4vj