{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22794", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T18:27:19.389Z", "datePublished": "2026-01-12T21:54:52.803Z", "dateUpdated": "2026-01-13T19:08:29.794Z"}, "containers": {"cna": {"title": "Account Takeover Vulnerability in Appsmith", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv"}, {"name": "https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633", "tags": ["x_refsource_MISC"], "url": "https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633"}], "affected": [{"vendor": "appsmithorg", "product": "appsmith", "versions": [{"version": "< 1.93", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T21:54:52.803Z"}, "descriptions": [{"lang": "en", "value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker\u2019s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93."}], "source": {"advisory": "GHSA-7hf5-mc28-xmcv", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:14:36.568773Z", "id": "CVE-2026-22794", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:08:29.794Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22794", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T14:14:36.568773Z"}}}], "references": [{"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:14:38.909Z"}}], "cna": {"title": "Account Takeover Vulnerability in Appsmith", "source": {"advisory": "GHSA-7hf5-mc28-xmcv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.7, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "appsmithorg", "product": "appsmith", "versions": [{"status": "affected", "version": "< 1.93"}]}], "references": [{"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv", "name": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633", "name": "https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker\u2019s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T21:54:52.803Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22794", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:08:29.794Z", "dateReserved": "2026-01-09T18:27:19.389Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T21:54:52.803Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D0E0C12-CE13-4165-8647-F27EE6E03D0F", "versionEndExcluding": "1.93", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker\u2019s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93."}], "id": "CVE-2026-22794", "lastModified": "2026-01-21T19:14:17.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-12T22:16:08.633", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:57:17.039752+00:00", "value": {"mitigation_remediation": ["Upgrade to Appsmith version\u202f1.93 or later to apply the removal of unvalidated Origin usage.", "Verify that the email link base URL in the application configuration is set to a trusted domain and that the Origin header is ignored for link generation.", "If an upgrade cannot be performed immediately, block or validate the Origin header on the app server, or disable password reset and verification flows until the patch is applied."], "summary": {"action": "Patch", "impact": "Account takeover via crafted email reset links"}, "threat_synthesis": {"affected_systems": "Appsmith (appsmithorg:appsmith) is affected for all releases before version\u202f1.93. The vulnerability exists in the server component that sends email links; any deployment of Appsmith before the 1.93 patch is vulnerable.", "description_and_impact": "Appsmith v1.93 and later introduced proper validation when constructing email reset and verification links. Prior to that, the platform accepted the Origin header from incoming HTTP requests and used it as the base URL for authentication emails. An attacker who can set a malicious Origin header in a request can cause the system to generate password reset or verification links that point to a domain under the attacker\u2019s control. When a user clicks such a link, the attacker receives sensitive authentication tokens embedded in the link, allowing the attacker to hijack the account. This flaw directly impacts authentication and confidentiality of user accounts, classified as CWE\u2011346.", "risk_and_exploitability": "The CVSS score of\u202f9.7 denotes a critical severity. EPSS is reported as <\u202f1\u202f%, indicating a low probability of current exploitation under normal circumstances, and the vulnerability is not listed in the CISA KEV catalog. The exploitation route requires an attacker to control an HTTP request to the server to provide a forged Origin header, which is feasible for remote adversaries with internet access to the Appsmith instance. Once the link is delivered via email, the attacker can immediately compromise the affected account."}}}}, "created": "2026-01-13T09:27:17.682919+00:00", "updated": "2026-04-18T07:00:11.353960+00:00", "vendors": ["appsmith", "appsmith$PRODUCT$appsmith"]}