appsmith

v2.0 Security

This release includes 9 security fixes for security teams reviewing exposed deployments.

Published 13d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 9 known CVEs

Topics

admin-dashboard admin-panels app-builder automation crud custom-internal

+13 more

developer-tools gui gui-application internal-tools java javascript low-code low-code-framework react self-hosted typescript webdevelopment workflows

Affected surfaces

rce_ssrf auth deps breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 13d

Appsmith v2.0 patches 9 security vulnerabilities including auth bypass, path traversal, and XSS. Upgrades from pre-v1.96 are blocked and require migration through an intermediate version.

Why it matters: Patches critical auth bypass, path traversal, credential leaks, and XSS across 9 CVEs/GHSAs. Upgrade immediately; versions pre-v1.96 cannot upgrade directly.

Summary

AI summary

Updates GHSA-v6jh-fx3m-7xhw, GHSA-m4hv-9p7g-56vm, and GHSA-j9gf-vw2f-9hrw across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Prevents token‑bearing email authentication when APPSMITH_BASE_URL is unset (GHSA-j9gf-vw2f-9hrw) Prevents token‑bearing email authentication when APPSMITH_BASE_URL is unset (GHSA-j9gf-vw2f-9hrw) Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Security	High	Upgrades axios to 1.15.0 to address GHSA-3p68-rc4w-qgx5 Upgrades axios to 1.15.0 to address GHSA-3p68-rc4w-qgx5 Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Security	Medium	Fixes GHSA-j9gf-vw2f-9hrw token-bearer email authentication Fixes GHSA-j9gf-vw2f-9hrw token-bearer email authentication Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes GHSA-3p68-rc4w-qgx5 axios HTTP client vulnerability Fixes GHSA-3p68-rc4w-qgx5 axios HTTP client vulnerability Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes CVE-2026-42198 in postgresql-jdbc driver Fixes CVE-2026-42198 in postgresql-jdbc driver Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes GHSA-v6jh-fx3m-7xhw unauthenticated OpenAPI access Fixes GHSA-v6jh-fx3m-7xhw unauthenticated OpenAPI access Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes GHSA-m4hv-9p7g-56vm path traversal vulnerability Fixes GHSA-m4hv-9p7g-56vm path traversal vulnerability Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes CVE-2025-52999 in arangodb-java-driver Fixes CVE-2025-52999 in arangodb-java-driver Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes GHSA-93mf-9h52-gfxp datasource configuration leak Fixes GHSA-93mf-9h52-gfxp datasource configuration leak Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes GHSA-vjfq-fvfc-3vjw stored XSS in SQL autocomplete Fixes GHSA-vjfq-fvfc-3vjw stored XSS in SQL autocomplete Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes GHSA-xq3m-2v4x-88gg protobufjs vulnerability Fixes GHSA-xq3m-2v4x-88gg protobufjs vulnerability Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking
Breaking	High	Direct upgrades from <v1.96 to 2.0+ are blocked; must upgrade through v1.99 first Direct upgrades from <v1.96 to 2.0+ are blocked; must upgrade through v1.99 first Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Breaking	High	Direct upgrades from pre‑v1.96 versions to 2.0+ will fail; intermediate upgrade through v1.99 required Direct upgrades from pre‑v1.96 versions to 2.0+ will fail; intermediate upgrade through v1.99 required Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Breaking	Medium	Blocks direct upgrade to 2.0+ from versions pre-v1.96 Blocks direct upgrade to 2.0+ from versions pre-v1.96 Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Adds documentation link tooltip for Base URL with normalization Adds documentation link tooltip for Base URL with normalization Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Adds MongoDB Operator support in Helm deployments Adds MongoDB Operator support in Helm deployments Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Adds Ask AI Community Edition stubs and wiring support Adds Ask AI Community Edition stubs and wiring support Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency
Dependency	Medium	Upgrades bundled MongoDB to version 7.x Upgrades bundled MongoDB to version 7.x Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Upgrades backend Java runtime to version 25.x Upgrades backend Java runtime to version 25.x Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Upgrades backend Node runtime to version 24.x Upgrades backend Node runtime to version 24.x Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes Redis credential preservation during appsmithctl restore Fixes Redis credential preservation during appsmithctl restore Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Adds validation for Git repository URLs Adds validation for Git repository URLs Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes Helm charts to use documented image values Fixes Helm charts to use documented image values Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes identity field leakage from imported JSON Fixes identity field leakage from imported JSON Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes binary file upload corruption from HTML entity decoding Fixes binary file upload corruption from HTML entity decoding Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes request origin validation before persisting invitations Fixes request origin validation before persisting invitations Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Improves error messages with more actionable text Improves error messages with more actionable text Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Validates request origins before persisting invited users Validates request origins before persisting invited users Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Bugfix	Medium	Replaces generic “Response not valid” messages with more actionable error messages Replaces generic “Response not valid” messages with more actionable error messages Source: granite4.1:30b@2026-05-21-audit Confidence: low	—

Full changelog

⚠️

Important / Critical - DO NOT UPGRADE WITHOUT READING

If you are upgrading from a version earlier than v1.96, you must first upgrade to version v1.99 before upgrading to 2.0+.

This requirement is especially important for instances using the built-in MongoDB. Appsmith 2.0 bundles MongoDB 7, and versions v1.96 through v1.99 include the required migration changes needed to support this upgrade path.

Skipping this intermediate upgrade will cause the upgrade to 2.0+ to fail, including installations using an external MongoDB instance. Completing this step is required for all deployments.

If you already attempted the upgrade and encountered a failure, no data loss or destructive changes will occur. Simply upgrade to version v1.99 first. Once the instance is successfully running on v1.99, you can proceed with upgrading to 2.0+.

For detailed upgrade instructions, see:

https://docs.appsmith.com/getting-started/setup/instance-management/update-appsmith

Features

Added a documentation link tooltip for the Appsmith Base URL setting and implemented trailing-slash normalization. (#41782)
Added support for the MongoDB Operator in Helm deployments. (#41733)
Added Ask AI CE stubs and shared file wiring support. (#41692)

Fixes

Validated request origins before persisting invited users. [APP-15239] (#41826)
Preserved Redis credentials during appsmithctl restore. (#41827)
Upgraded postgresql-jdbc to 42.7.11 to remediate CVE-2026-42198. (#41812)
Added validation for Git repository URLs. (#41819)
Prevented unauthenticated access to full OpenAPI documentation. (GHSA-v6jh-fx3m-7xhw) (#41803)
Fixed a path traversal vulnerability. (GHSA-m4hv-9p7g-56vm) (#41790)
Upgraded arangodb-java-driver to 7.25.0 to remediate CVE-2025-52999. (#41789)
Replaced generic “Response not valid” messages with more actionable error messages for improved observability. (#41769)
Failed closed for token-bearing emails when APPSMITH_BASE_URL is unset. (GHSA-j9gf-vw2f-9hrw) (#41767)
Updated Helm charts to use documented image values instead of the undocumented _image key. (#41765)
Fixed a datasource configuration leak in Appsmith App Viewer imports. (GHSA-93mf-9h52-gfxp) (#41764)
Prevented stored XSS via SQL autocomplete. (GHSA-vjfq-fvfc-3vjw) (#41760)
Stripped identity fields from imported JSON before persistence. (#41761)
Prevented HTML entity decoding from corrupting binary file uploads in multipart form data. (#41742)
Pinned protobufjs to ^7.5.5 to address GHSA-xq3m-2v4x-88gg. (#41745)
Upgraded axios to 1.15.0 to address GHSA-3p68-rc4w-qgx5. (#41739)
Upgraded bundled Mongo to 7.x
Upgraded backend JAVA to 25.x
Upgraded backed Node to 24.x
Upgraded bundled MongoDB to 7.x

Breaking Changes

Mandatory intermediate upgrade: versions earlier than v1.96 must first be upgraded to v1.99 before upgrading to 2.0+; skipping this step causes upgrade failure.
Bundled MongoDB version bumped to 7.x (requires migration).
Backend Java runtime minimum version raised to 25.x.
Backend Node.js runtime minimum version raised to 24.x.

Security Fixes

GHSA-v6jh-fx3m-7xhw – Prevented unauthenticated access to full OpenAPI documentation.
CVE-2026-42198 (postgresql‑jdbc 42.7.11) – Remediated vulnerability.
GHSA-m4hv-9p7g-56vm – Fixed path traversal vulnerability.
CVE-2025-52999 (arangodb-java-driver 7.25.0) – Remediated vulnerability.
GHSA-j9gf-vw2f-9hrw – Failed closed for token‑bearing emails when APPSMITH_BASE_URL is unset.
GHSA-93mf-9h52-gfxp – Prevented datasource configuration leak in Appsmith App Viewer imports.
GHSA-vjfq-fvfc-3vjw – Prevented stored XSS via SQL autocomplete.
GHSA-xq3m-2v4x-88gg (protobufjs ^7.5.5) – Addressed vulnerability.
GHSA-3p68-rc4w-qgx5 (axios 1.15.0) – Addressed vulnerability.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track appsmith

Get notified when new releases ship.

About appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.