CVE-2026-34411
Published
CVSS v3
5.3
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.
Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
GitHub