VYPR
Medium severity5.3NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026

CVE-2026-34411

CVE-2026-34411

Description

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains for reconnaissance and targeted attack planning.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*range: <1.98
    • (no CPE)range: <1.98
  • osv-coords
    Range: < 1.98.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.