CVE-2026-49979
LowCVSS 2.7Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
In Appsmith prior to version 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration.
Risk Assessment
The risk involves potential internal network port scanning and service banner enumeration, which could expose sensitive infrastructure information and facilitate further attacks.
Recommendation
Immediately upgrade Appsmith to version 1.99 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.

