Skip to content

Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation

High severity GitHub Reviewed Published May 21, 2026 in appsmithorg/appsmith • Updated Jun 12, 2026

Package

maven com.appsmith:server (Maven)

Affected versions

< 2.0

Patched versions

2.0

Description

Summary

A configuration-dependent origin validation bypass was identified in Appsmith’s password reset and email verification flows on current release.

Both flows derive the email-link base URL from the request Origin header. The current validation only enforces a trusted base URL when APPSMITH_BASE_URL is configured. If that setting is unset, the application accepts the caller-supplied origin and uses it to generate token-bearing reset and verification links.

On deployments with email delivery enabled and APPSMITH_BASE_URL unset, this can cause Appsmith to send security-sensitive links whose clickable host is attacker-controlled, which can plausibly lead to account takeover after victim interaction.

Details

The current release head at commit e77639eca4974469c1e676904851ffdaedd38111 was reviewed.

The relevant routes are publicly reachable in SecurityConfig.java:

  • POST /forgotPassword is permitted without authentication at line 209
  • POST /resendEmailVerification is permitted without authentication at line 228

In UserControllerCE.java, both flows copy the request Origin header into the DTO field used as the email-link base URL:

  • forgotPasswordRequest(...) at lines 91-94
  • resendEmailVerification(...) at lines 189-193

In UserServiceCEImpl.java, base URL validation is conditional:

  • @Value("${APPSMITH_BASE_URL:}") at line 113
  • resolveSecureBaseUrl(...) at lines 132-145

That method explicitly documents and implements this behavior:

  • if APPSMITH_BASE_URL is configured, the provided URL must match it
  • if APPSMITH_BASE_URL is unset, the provided URL is accepted for backward compatibility

The resulting base URL is then used to construct token-bearing links:

  • FORGOT_PASSWORD_CLIENT_URL_FORMAT at line 149
  • reset URL generation at lines 282-289
  • EMAIL_VERIFICATION_CLIENT_URL_FORMAT at line 152
  • verification URL generation at lines 931-940

This means the base URL is not only used for branding or display purposes. It directly controls the clickable host of security-sensitive reset and verification links.

Note that the admin UI describes APPSMITH_BASE_URL as required for password reset and email verification links in:

  • app/client/src/ce/pages/AdminSettings/config/configuration.tsx at lines 41-49

The reviewed self-host material indicates this protection is not fail-closed by default, which makes the vulnerable condition realistic on existing deployments where operators have not set APPSMITH_BASE_URL.

PoC

These steps were designed for validation on an Appsmith deployment that I own or am explicitly authorized to test.

  1. Deploy a non-production Appsmith instance from current release, or any build containing the affected code.
  2. Enable outbound email delivery.
  3. Leave APPSMITH_BASE_URL unset or blank.
  4. Use a test mailbox account you control, for example victim@example.test.
  5. Send a password reset request with a forged Origin header:
curl -i -X POST 'https://YOUR-INSTANCE/api/v1/users/forgotPassword' \
  -H 'Content-Type: application/json' \
  -H 'Origin: https://attacker.example' \
  --data '{"email":"victim@example.test"}'
  1. Inspect the delivered email. If affected, the clickable reset link is generated under https://attacker.example/... instead of the legitimate Appsmith host.
  2. Repeat the same validation for resend email verification using an unverified test account:
curl -i -X POST 'https://YOUR-INSTANCE/api/v1/users/resendEmailVerification' \
  -H 'Content-Type: application/json' \
  -H 'Origin: https://attacker.example' \
  --data '{"email":"victim@example.test"}'
  1. Inspect the delivered verification email. If affected, the clickable verification link is generated under https://attacker.example/....
  2. Set APPSMITH_BASE_URL=https://YOUR-INSTANCE, restart the server, and repeat the same requests.
  3. The expected secure behavior is that mismatched Origin is rejected, or the generated links no longer follow the forged request header.

Live tokens, third-party data, or unsafe exploitation material was not included in this report. The attached archive contains source excerpts, data-flow proof, safe validation notes, and supporting evidence collected from the reviewed current branch.

Impact

This is a trust-boundary failure in token-bearing email authentication flows.

Affected deployments are those where:

  • APPSMITH_BASE_URL is unset or blank
  • outbound email is enabled
  • password reset and/or email verification flows are enabled

Attacker requirements are low:

  • no prior authentication is required to reach the relevant endpoints
  • the attacker only needs to trigger an email flow toward a target account

Security impact:

  • Appsmith can generate password reset or verification emails whose clickable host is attacker-controlled
  • victim interaction can expose security-sensitive token material
  • this can plausibly result in account takeover
  • at minimum, it enables trusted-email abuse and phishing through the application itself

mitigation

  1. Remove the fallback behavior in resolveSecureBaseUrl(...) that accepts caller-supplied origin data when APPSMITH_BASE_URL is unset.
  2. Fail closed for all token-bearing email flows when no trusted base URL is configured.
  3. Use a single trusted-base-url helper across:
    • password reset
    • resend email verification
    • invite flows
    • instance admin invite flows
  4. Add regression tests for the unset-configuration case.
  5. Add startup or admin-level validation so security-sensitive email flows cannot operate until a trusted base URL is configured.

Attachment

appsmith-email-link-origin-validation-bypass-20260321.zip

References

@subrata71 subrata71 published to appsmithorg/appsmith May 21, 2026
Published to the GitHub Advisory Database Jun 12, 2026
Reviewed Jun 12, 2026
Last updated Jun 12, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS score

Weaknesses

Origin Validation Error

The product does not properly verify that the source of data or communication is valid. Learn more on MITRE.

Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-j9gf-vw2f-9hrw

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.