CVE-2026-22794
Published: 12 January 2026
Summary
CVE-2026-22794 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Appsmith Appsmith. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validating untrusted inputs like the HTTP Origin header before using it to construct password reset and email verification links, preventing attacker-controlled domains.
Ensures timely identification, prioritization, and remediation of flaws like the unvalidated Origin header usage, as addressed by upgrading to Appsmith 1.93.
Filters or sanitizes information output in emails to block or correct malicious baseUrls derived from forged Origin headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web app (Appsmith) allows unauthenticated network attacker to poison reset links via forged Origin header, directly enabling exploitation of the application for subsequent token theft and account takeover.
NVD Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset…
more
/ email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.
Deeper analysisAI
CVE-2026-22794 is a high-severity vulnerability (CVSS 9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) affecting Appsmith, an open-source platform for building admin panels, internal tools, and dashboards. In versions prior to 1.93, the server blindly trusts the Origin header from incoming requests to construct the baseUrl for password reset and email verification links sent to users. This lack of validation (CWE-346: Origin Validation Error) allows malicious manipulation of the links embedded in emails.
An unauthenticated attacker (PR:N) with network access can exploit this by sending a request with a forged Origin header pointing to a domain they control, such as during a password reset flow. If a legitimate user interacts with the resulting email (UI:R) by clicking the link, authentication tokens are transmitted to the attacker's domain, enabling token exfiltration. This can lead to full account takeover, with high confidentiality, integrity, and availability impacts due to the changed scope (S:C).
The vulnerability was addressed in Appsmith version 1.93, as detailed in the fix commit (6f9ee6226bac13fb4b836940b557913fff78b633) and the GitHub Security Advisory (GHSA-7hf5-mc28-xmcv). Security practitioners should prioritize upgrading to 1.93 or later to mitigate the issue, with no additional workarounds specified in the provided references.
Details
- CWE(s)