Appsmith Flaw Allows Code Injection
TL;DR: A stored cross-site scripting (XSS) vulnerability has been found in Appsmith's SQL query editor. Attackers with developer access to a shared PostgreSQL database can inject malicious code by creating specially named database objects. This code executes when the autocomplete feature is used by other users.
Key facts
- Category
- Cybersecurity
- Impact
- Low
- Published
- Source
- CERT/CC
Full summary
A security flaw in Appsmith's SQL editor allows attackers with database access to inject and execute malicious code through the autocomplete feature.
A stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-7299, has been discovered in the Appsmith low-code platform. The flaw exists within the autocomplete renderer of its CodeMirror-based SQL query editor. The vulnerability allows an attacker to inject and store malicious JavaScript code within the application. This is achieved by creating a database object, such as a table or a view, with a name that contains a script payload. When another user interacts with the SQL editor, the autocomplete function attempts to render this malicious name, inadvertently executing the embedded script in the user's browser. This type of attack is particularly subtle as the malicious code is stored on the database server and triggered within the client-side application.
The primary risk affects teams using Appsmith with shared PostgreSQL datasources. The vulnerability requires the attacker to have at least developer-level permissions, meaning they must be able to create or rename objects within the database. Once the malicious object is created, any Appsmith user who connects to that same datasource and uses the SQL editor is at risk. A successful exploit could lead to various security incidents, including session hijacking, theft of sensitive data visible within the Appsmith interface, or performing unauthorized actions on behalf of the compromised user. This undermines the security of applications built on the platform, especially in collaborative environments where multiple developers access the same data sources.
Why it matters
The vulnerability allows an attacker with developer-level database access to execute code in other users' browsers, potentially leading to session hijacking or data theft within shared Appsmith environments. It highlights the risk of insufficient input sanitization in developer tools.
Business impact
For businesses using Appsmith for internal tools, this vulnerability could expose sensitive company data and compromise user accounts. It poses a risk to operational security in collaborative development teams sharing database access, potentially leading to data breaches or unauthorized application changes.
Tags
Related on Notifire
Related stories
Primary source: CERT/CC