CVE-2026-50189

Vulnerability Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.

Vulnerability Details

Published Date

June 24, 2026

Last Modified

June 24, 2026

CWE ID

CWE-183

Source

NVD

Vendor

appsmithorg

Product

appsmith

External References

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-v49v-673j-g4vj

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment