Medium severity5.3NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026

CVE-2026-34411

Description

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

Affected products

Appsmith/Appsmith
cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*
Range: <1.98

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/appsmithorg/appsmith/security/advisories/GHSA-qvvc-prjx-f85jnvdExploitThird Party Advisory
www.vulncheck.com/advisories/appsmith-unauthenticated-instance-configuration-disclosure-via-management-apisnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000