CVE-2024-55963
CVE-2024-55963 is a medium-severity vulnerability in Appsmith with a CVSS 3.x base score of 6.5. Its EPSS exploit-prediction score of 28% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-284.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 28% (98th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-54312
- Weakness: CWE-284
- Affected product: Appsmith
- Published:
- Last modified:
Description
An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited to Appsmith's own server only, but there is a denial of service because it can be continually restarted. This is due to incorrect access control checks, which should check for super user permissions on the incoming request.
Frequently asked questions
- What is CVE-2024-55963?
- An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited to Appsmith's own server only, but there is a denial of service because it can be continually restarted. This is due to incorrect access control checks, which should check for super user permissions on the incoming request.
- How severe is CVE-2024-55963?
- CVE-2024-55963 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2024-55963 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 28% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-55963?
- CVE-2024-55963 affects Appsmith. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-55963?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-55963 have an EU (EUVD) identifier?
- Yes. CVE-2024-55963 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-54312.
- When was CVE-2024-55963 published?
- CVE-2024-55963 was published on 2025-03-26 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*
More vulnerabilities in Appsmith
- CVE-2026-55454 — Critical (CVSS 9.9): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy…
- CVE-2024-55964 — Critical (CVSS 9.8): An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image…
- CVE-2026-22794 — Critical (CVSS 9.6): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin…
- CVE-2026-24042 — Critical (CVSS 9.4): Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly…
- CVE-2026-55455 — Critical (CVSS 9.1): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host…
- CVE-2026-30862 — Critical (CVSS 9.0): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS…
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →