Appsmith public apps can execute unpublished actions (viewMode confusion)

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

授权机制缺失

Appsmith 安全漏洞

Appsmith是Appsmith开源的一个用于构建、部署和维护内部应用程序的开源平台。 Appsmith 1.94及之前版本存在安全漏洞，该漏洞源于未经身份验证的用户可执行未发布的操作，可能导致敏感数据泄露、执行编辑模式查询和API以及触发副作用行为。

N/A

N/A