Skip to content

Account Takeover Vulnerability in Appsmith

Critical
vivek-appsmith published GHSA-7hf5-mc28-xmcv Jan 12, 2026

Package

maven app/server/appsmith-server/src/main/java/com/appsmith/server/controllers/ce/UserControllerCE.java (Maven)

Affected versions

≤ 1.92

Patched versions

1.93

Description

Summary

The server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover.

Details

The core of the vulnerability is that two endpoints use the request Origin header as the baseUrl without validation.

Vulnerable code

  1. /forgotPassword

    https://github.com/appsmithorg/appsmith/blob/release/app/server/appsmith-server/src/main/java/com/appsmith/server/controllers/ce/UserControllerCE.java#L90-L100

    @PostMapping("/forgotPassword")
public Mono<ResponseDTO<Boolean>> forgotPasswordRequest(
        @RequestBody ResetUserPasswordDTO userPasswordDTO, @RequestHeader("Origin") String originHeader) {
    userPasswordDTO.setBaseUrl(originHeader);
    return service.forgotPasswordTokenGenerate(userPasswordDTO)
            .defaultIfEmpty(true)
            .onErrorReturn(true)
            .thenReturn(new ResponseDTO<>(HttpStatus.OK, true));
}

    The /forgotPassword API uses the Origin value provided by the client as the email link baseUrl without validation.

  2. /resendEmailVerification

    https://github.com/appsmithorg/appsmith/blob/release/app/server/appsmith-server/src/main/java/com/appsmith/server/controllers/ce/UserControllerCE.java#L189-L196

    @PostMapping("/resendEmailVerification")
public Mono<ResponseDTO<Boolean>> resendEmailVerification(
        @RequestBody ResendEmailVerificationDTO resendEmailVerificationDTO,
        @RequestHeader("Origin") String originHeader) {
    resendEmailVerificationDTO.setBaseUrl(originHeader);
    return service.resendEmailVerification(resendEmailVerificationDTO, null)
            .thenReturn(new ResponseDTO<>(HttpStatus.OK, true));
}

    In the same way, it uses ResendEmailVerificationDTO.setBaseUrl(originHeader) to include the Origin value when generating the link.

PoC

If an attacker sets the Origin to their own domain and sends a password reset request, the link generated in the email will point to the attacker’s domain, potentially exposing the token.

Reproduction Steps

  1. The attacker sends a password reset request for the victim’s email. The request header’s Origin value is set to the attacker’s domain (e.g., https://36fab03272ba.ngrok-free.app).
  2. The server uses the received Origin as the baseUrl to generate the link included in the email. Example: https://36fab03272ba.ngrok-free.app/user/resetPassword?token=...
  3. When the victim clicks the link in the email, the request is sent to the attacker’s domain, and the token is exposed.
  4. The attacker uses the leaked token to reset the password and gain access to the account.
poc.mp4

Impact

  • Account Takeover: If an attacker obtains the token from the email link, they can log in to the victim’s account or change the password.
  • Personal Information Exposure: User email addresses and account-related information may be exposed to third parties.
  • Phishing / Malicious Redirection: Legitimate emails can be used to lure users to an attacker-controlled site, enabling further malicious actions (e.g., credential theft).
  • Service Trust and Compliance Risks: If email links point to external domains, user trust may decrease, and legal or compliance issues may arise.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2026-22794

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Origin Validation Error

The product does not properly verify that the source of data or communication is valid. Learn more on MITRE.

Credits