Cover image for staceylevine
Avatar image for staceylevine
@staceylevine

Stacey Levine

App builder

Appsmith

Site_builder

For Version 1.92 and Lower: Important Security Notice — CVE-2026-22794 & Recent Version Updates

January 23, 2026 · 2 minutes
0
 · 0

Before diving into details, we want to clarify impact up front:

If you do not have email delivery enabled or if your Appsmith instance uses SSO (Single Sign-On) for authentication, you are not vulnerable to the issue described below.

This vulnerability only affects the built-in email/password reset flow.

We’re writing to inform you about a recently published security vulnerability that affects older versions of Appsmith.

A critical account takeover vulnerability (CVE-2026-22794) has been disclosed. Under certain conditions, an attacker could manipulate the HTTP Origin header during a password reset flow, causing a reset link to be generated with a malicious domain. If a user clicks such a link, the reset token could be exposed and potentially used to take over the account.

🔗 Full research and disclosure details:

https://www.resecurity.com/blog/article/cve-2026-22794-changing-the-origin-header-to-take-over-appsmith-accounts

 

Who is impacted

✅ Customers running Appsmith version 1.92 or lower

✅ The issue was fixed in version 1.93, released in November

 

Additional impact notes

  • This vulnerability relies on password reset emails being successfully delivered to users. If email delivery is not enabled, this attack vector does not apply.
  • If your instance uses SSO (Single Sign-On), you are not impacted, as password resets via email are not used.

 

Additional release update

We’d also like to share that Appsmith version 1.95, released this week, includes the fix for the MongoDB Bleed Vulnerability, along with additional stability and security improvements.

 

Do you need to upgrade immediately?

 

There is no need for an emergency upgrade over the weekend. For this vulnerability to be exploited, a password reset would need to be initiated by an attacker and the resulting email would need to be clicked by a user. While the immediate risk is limited, we strongly recommend upgrading to version 1.95 at your earliest convenience.

 

Summary

✅ A critical vulnerability (CVE-2026-22794) has been published affecting Appsmith ≤ 1.92

✅ The issue was fixed in version 1.93

Version 1.95 (latest) includes the fix for the MongoDB Bleed Vulnerability

✅ Instances without email delivery enabled are not impacted

✅ Instances using SSO are not impacted

✅ No emergency action is required solely due to this vulnerability if users are cautious with password reset emails

 

Please reach out if you have any questions about upgrading or how this affects your deployment.

 

Thank you,

The Appsmith Team