CVE-2026-34411

low-risk

Published 2026-03-27

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Appsmith

Affected Vendors

Appsmith

References (2)

Exploit https://github.com/appsmithorg/appsmith/security/advisories/GHSA-qvvc-prjx-f85j

Third Party Advisory https://www.vulncheck.com/advisories/appsmith-unauthenticated-instance-configura...

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal