A critical vulnerability exists in Appsmith that allows an attacker to manipulate password reset and email verification links. By sending a malicious request, an attacker can cause these links to point to their own domain, enabling them to steal authentication tokens when a user clicks the link. This can lead to a complete account takeover, granting the attacker unauthorized access to internal tools, dashboards, and sensitive data managed by the Appsmith platform.

The vulnerability stems from the server's improper validation of the Origin HTTP header. The Appsmith application blindly trusts the Origin header value when constructing the base URL for critical authentication links, such as for password resets or email verifications. An attacker can initiate a password reset for a victim and intercept the request to inject a malicious Origin header pointing to a domain they control. The server then generates an email with a valid reset link, but the domain part of the URL is the attacker's, causing the victim's single-use authentication token to be sent to the attacker's server when the link is clicked.

This vulnerability is rated as critical severity with a CVSS score of 9.6, posing a significant risk to the organization. Successful exploitation leads directly to user account takeover, which could include privileged administrator accounts. This would grant an attacker full control over the Appsmith instance, allowing them to access, modify, or exfiltrate sensitive business data, disrupt internal operations by altering dashboards and tools, and pivot to other systems within the corporate network. The potential consequences include major data breaches, reputational damage, and loss of control over critical internal applications.

Immediate Action: Immediately upgrade all instances of Appsmith to version 1.93 or later, which contains the fix for this vulnerability. After patching, it is crucial to review access logs and audit trails for any signs of suspicious activity, such as unexpected password resets or logins from unusual locations, that may indicate a prior compromise.

Proactive Monitoring: Security teams should configure monitoring to detect and alert on anomalous Origin headers in HTTP requests, particularly those directed at authentication-related endpoints (e.g., /user/forgotPassword). Monitor application and web server logs for requests to these endpoints that contain unexpected or non-standard domain names in the Origin or Host headers.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to filter and block requests to authentication endpoints that contain an Origin header not matching an approved allow-list of domains. Enforcing mandatory Multi-Factor Authentication (MFA) across all Appsmith accounts can also serve as a strong compensating control, as it would prevent an attacker from logging in even if they successfully steal a password reset token.

Public Exploit Available: false

Due to the critical CVSS score of 9.6 and the high potential for complete account compromise, immediate remediation is strongly recommended. Organizations must prioritize the deployment of the security update to version 1.93 or later across all vulnerable Appsmith instances without delay. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity and the ease of exploitation make it a prime target for attackers, warranting urgent attention from asset owners.