Appsmith Unauthenticated Action Execution Vulnerability in Public Apps

Vulnerability

A vulnerability in Appsmith versions through 1.94 allows unauthenticated users to execute unpublished (edit-mode) actions in publicly accessible apps. This is achieved by sending viewMode=false or omitting the viewMode parameter in POST requests to /api/v1/actions/execute. This behavior bypasses the intended publish boundary, which restricts public viewers to executing only published actions. The vulnerability could lead to unauthorized execution of edit-mode queries and APIs, access to development data, triggering of side effects such as write operations or external API calls, and exposure of sensitive data from unpublished actions.

Impact

Exploitation of this vulnerability allows for unauthorized execution of edit-mode actions, access to sensitive development data, and the ability to trigger side effects such as write operations or external API calls.

Added: Jan 22, 2026, 4:26 AM

Updated: Jan 22, 2026, 4:26 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Appsmith Unauthenticated Action Execution Vulnerability in Public Apps

Vulnerability

Impact

Affected Products

Appsmith

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating