Unrated severityNVD Advisory· Published Jun 24, 2026

Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP Filter

CVE-2026-49979

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Appsmithorg/Appsmithllm-fuzzy
Range: <1.99

Patches

Vulnerability mechanics

References

github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86ghmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000