Summary
The Appsmith instance management API endpoints
- Consolidated API Information Leakage -
/api/v1/consolidated-api/view,
- Sensitive Instance Information Disclosure -
/api/v1/users/features
- Tenant Configuration Disclosure -
/api/v1/tenants/current
are accessible without authentication. These endpoints are meant to function as internal “Application Performance” APIs, but they expose sensitive configuration metadata about the Appsmith instance, including the license plan, instance ID, enabled authentication providers, feature flags, and session timeout settings.
This allows an attacker to obtain a complete overview of all enabled enterprise features such as SAML SSO, SCIM provisioning, audit logs, branding, and granular access control without even having an account. Such information can significantly aid in targeted attack planning.
Any unauthenticated attacker with network access to the Appsmith instance can query these endpoints and extract actionable reconnaissance data.
PoC
-
No complex requirement, just set up the server and organization and visit the endpoints below
-
Sensitive Instance Information Disclosure -/api/v1/users/features
- Tenant Configuration Disclosure -
/api/v1/tenants/current
- Consolidated API Information Leakage -
/api/v1/consolidated-api/view,
Impact
By querying all three endpoints in sequence, an attacker can determine the exact organization operating the instance by cracking the exposed adminEmailDomainHash field, which is an unsalted SHA-256 hash that breaks trivially against a domain wordlist using commodity hardware. From there, the attacker obtains a full commercial profile of the target including license tier, subscription seat count, active user numbers, and license expiry date alongside a precise map of every enterprise feature enabled on the instance, including whether SAML, OIDC, SCIM provisioning, granular access control, and audit logging are active.
ritikchaddha Reporter
neo-ai-engineer Reporter
Summary
The Appsmith instance management API endpoints
/api/v1/consolidated-api/view,/api/v1/users/features/api/v1/tenants/currentare accessible without authentication. These endpoints are meant to function as internal “Application Performance” APIs, but they expose sensitive configuration metadata about the Appsmith instance, including the license plan, instance ID, enabled authentication providers, feature flags, and session timeout settings.
This allows an attacker to obtain a complete overview of all enabled enterprise features such as SAML SSO, SCIM provisioning, audit logs, branding, and granular access control without even having an account. Such information can significantly aid in targeted attack planning.
Any unauthenticated attacker with network access to the Appsmith instance can query these endpoints and extract actionable reconnaissance data.
PoC
No complex requirement, just set up the server and organization and visit the endpoints below
Sensitive Instance Information Disclosure -
/api/v1/users/features/api/v1/tenants/current/api/v1/consolidated-api/view,Impact
By querying all three endpoints in sequence, an attacker can determine the exact organization operating the instance by cracking the exposed adminEmailDomainHash field, which is an unsalted SHA-256 hash that breaks trivially against a domain wordlist using commodity hardware. From there, the attacker obtains a full commercial profile of the target including license tier, subscription seat count, active user numbers, and license expiry date alongside a precise map of every enterprise feature enabled on the instance, including whether SAML, OIDC, SCIM provisioning, granular access control, and audit logging are active.