CVE-2026-22794
Account Takeover Vulnerability in Appsmith
8.8
HIGH
CVSS 3.1
EPSS 0.02%
Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.
How to fix CVE-2026-22794
To remediate CVE-2026-22794, upgrade the affected package to a fixed version below.
- —upgrade to 1.93.0 or later
Is CVE-2026-22794 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.93.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |