Volerion logoVolerion
Volerion logoVolerion

Appsmith Unauthenticated Instance Management API Exposure Vulnerability

Vulnerability

A vulnerability exists in Appsmith versions prior to 1.98, where sensitive instance management API endpoints are exposed without authentication. Unauthenticated attackers can access endpoints such as '/api/v1/consolidated-api/view' and '/api/v1/tenants/current' to retrieve configuration metadata, license details, and unsalted SHA-256 hashes of admin email domains. This information can be used for reconnaissance and planning targeted attacks.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive instance information, including configuration metadata, license information, and admin email domain hashes, which can be used for further targeted attacks.

Reproduction

To reproduce this vulnerability, access an Appsmith instance running a version prior to 1.98. Without authentication, query the '/api/v1/consolidated-api/view' and '/api/v1/tenants/current' endpoints. The response will include sensitive instance management data.

Remediation

Users are advised to update to Appsmith version 1.98 or later.

Added: Mar 27, 2026, 5:24 PM
Updated: Mar 27, 2026, 5:24 PM

Vulnerability Rating

Custom Algorithm
spread
5.0
impact
0.6
exploitability
9.5
remediation
7.7
relevance
4.8
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.