appsmith

v2.1 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 5d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

admin-dashboard admin-panels app-builder automation crud custom-internal

+13 more

developer-tools gui gui-application internal-tools java javascript low-code low-code-framework react self-hosted typescript webdevelopment workflows

Affected surfaces

rce_ssrf deps auth rbac

ReleasePort's take

Moderate signal

editorial:auto 5d

The v2.1 release hardens security by filtering non‑routable IPs in WebClient, restricting the Caddy admin interface to a local socket, and adding path traversal validation for widget saves.

Why it matters: These changes block SSRF vectors, limit remote admin access, and prevent directory traversal attacks; severity scores exceed 75 indicating high risk impact.

Summary

AI summary

Updates GHSA-8jvv-gwqg-6vjc, GHSA-r553-q33m-v7pf, and GHSA-v49v-673j-g4vj across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Applied non-routable IP address filter on WebClient for SSRF protection. Applied non-routable IP address filter on WebClient for SSRF protection. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Restricted Caddy admin interface to a local socket. Restricted Caddy admin interface to a local socket. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Added path traversal validation to widget save paths. Added path traversal validation to widget save paths. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Removed unused Supervisord admin port. Removed unused Supervisord admin port. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Enforced MANAGE_PAGES permission checks when updating the dependency map. Enforced MANAGE_PAGES permission checks when updating the dependency map. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature
Feature	Medium	Replaced Intercom with Pylon across the platform. Replaced Intercom with Pylon across the platform. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Added `memory-analysis.sh` for memory sizing and diagnostic analysis. Added `memory-analysis.sh` for memory sizing and diagnostic analysis. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Updated Helm charts to allow numeric CPU values in `resources.requests`. Updated Helm charts to allow numeric CPU values in `resources.requests`. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix
Bugfix	Low	Built MongoDB database tools from source using patched `x/crypto` and `x/net` dependencies. Built MongoDB database tools from source using patched `x/crypto` and `x/net` dependencies. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Low	Updated Husky pre-commit hook to correctly stage server files from the worktree root. Updated Husky pre-commit hook to correctly stage server files from the worktree root. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Low	Added a non-root user to the Cypress snapshot Dockerfile. Added a non-root user to the Cypress snapshot Dockerfile. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

Features

Replaced Intercom with Pylon across the platform. (#41722)
Added memory-analysis.sh to help with memory sizing and diagnostic analysis. (#41816)

Fixes

Applied a comprehensive non-routable IP address filter on WebClient to strengthen SSRF protection. (GHSA-v49v-673j-g4vj, GHSA-m23h-pvf3-2m7p) (#41849)
Built MongoDB database tools from source using patched x/crypto and x/net dependencies. (#41850)
Restricted the Caddy admin interface to a local socket. (GHSA-8jvv-gwqg-6vjc) (#41847)
Added path traversal validation to widget save paths. (GHSA-r553-q33m-v7pf) (#41834)
Removed the unused Supervisord admin port. (GHSA-v49v-673j-g4vj) (#41837)
Updated the Husky pre-commit hook to correctly stage server files from the worktree root. (#41835)
Added a non-root user to the Cypress snapshot Dockerfile. (#41823)
Enforced MANAGE_PAGES permission checks when updating the dependency map. (GHSA-q4p7-j55w-5mjm) (#41828)
Updated Helm charts to allow numeric CPU values in resources.requests. (#41824)

Breaking Changes

Removed unused Supervisord admin port.

Security Fixes

GHSA-v49v-673j-g4vj — Applied non‑routable IP address filter on WebClient to strengthen SSRF protection.
GHSA-m23h-pvf3-2m7p — Same SSRF protection improvement (additional CVE reference).
GHSA-8jvv-gwqg-6vjc — Restricted Caddy admin interface to a local socket.
GHSA-r553-q33m-v7pf — Added path traversal validation to widget save paths.
GHSA-q4p7-j55w-5mjm — Enforced `MANAGE_PAGES` permission checks when updating the dependency map.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track appsmith

Get notified when new releases ship.

About appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.

All releases →

Related context

Related tools

Earlier breaking changes

v2.0 Direct upgrades from pre‑v1.96 versions to 2.0+ will fail; intermediate upgrade through v1.99 required
v2.0 Direct upgrades from <v1.96 to 2.0+ are blocked; must upgrade through v1.99 first
v2.0 Blocks direct upgrade to 2.0+ from versions pre-v1.96