Trust Issues: Hijacking Appsmith Accounts via Origin Header Abuse
Jan 15, 2026·5 min read·18 visits
Executive Summary (TL;DR)
Appsmith trusted the client-supplied 'Origin' header when generating password reset links. An attacker can send a reset request for a victim's email with a malicious Origin (e.g., evil.com). The victim receives a valid email from the Appsmith system, but the link points to the attacker's server. Clicking the link leaks the password reset token, allowing the attacker to hijack the account.
A critical Account Takeover (ATO) vulnerability in Appsmith allows unauthenticated attackers to poison password reset emails by spoofing the HTTP Origin header. This manipulation forces the application to generate legitimate emails containing links to attacker-controlled domains, facilitating credential harvesting.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Appsmith Appsmith | < 1.93 | 1.93 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-346 |
| Attack Vector | Network |
| CVSS Score | 9.6 (Critical) |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| Impact | Account Takeover |
| EPSS Score | 0.00027 |
MITRE ATT&CK Mapping
The application does not properly verify that the Origin header matches the expected source, allowing attackers to manipulate the base URL used in generated links.