CVE CyberSecurity Database News

CVE-2024-55965 - Appsmith “App Viewer” Role Leaks Workspace Datasource List

Poster -

Appsmith is an open-source platform that helps teams build custom internal tools. In June 2024, researchers disclosed a new vulnerability: CVE-2024-55965. This bug lets users invited as “App Viewer” in Appsmith see a list of all datasources in a workspace—information intended only for developers, not viewers. Let’s break down what this means, see example code, and explore remediation.

Vulnerability Type: Information Exposure

- Risk: Workspace “App Viewer” users can see names/types of datasources, though not secrets.
- Exploitability: Requires being added/invited as “App Viewer” in an Appsmith workspace.

“App Viewer” is meant to only view released applications, not underlying configuration or “dev” data. With this issue, they see a list of datasources connected to the workspace—things like database, API or storage resource names.

What information is leaked?

If you invite someone as an “App Viewer,” they should (according to Appsmith’s docs) only interact with released apps. Instead, they can hit the API (or certain panels) to fetch the list of all configured datasources, including names, types and maybe connection parameters (but not credentials or secrets).

Example: Leaked Information

[
  {
    "id": "1f2ab3c4",
    "name": "Production-DB",
    "pluginType": "POSTGRES",
    "workspaceId": "ws1zxnz",
    "datasourceConfiguration": {
      "endPoint": "db.company.com:5432",
      "databaseName": "proddb"
      // credentials NOT included
    }
  },
  ...
]

So if you’re protecting source/database names, or want to keep your backend architecture private from “viewers” — this bug becomes quite sensitive.

How Can It Be Exploited?

Suppose you’re added as a Viewer to “HR Tools” workspace. Usually you’d *only* use HR apps. But a simple call to the Appsmith API exposes backend resource names:

Step 1: Log in as "App Viewer"

Get invited to a workspace as “App Viewer.”

### Step 2: Call the /datasources endpoint

Open the network tab and make a GET request

GET /api/v1/datasources?workspaceId=ws1zxnz
Authorization: Bearer <your-token>

Or using curl

curl -H "Authorization: Bearer your-token" \
     "https://<appsmith-server>/api/v1/datasources?workspaceId=ws1zxnz";

Passwords, API keys, and other sensitive values are not shown.

- But names, endpoints, database types, and metadata might be very telling (e.g., “finance-prod-db,” “analytics-snowflake”).

Recon: Attackers (especially if internal) can map your infrastructure without dev access.

- Target Selection: Resource names hint at business logic, like test vs production, or third-party integrations.
- Corporate Espionage: Knowledge about a company’s architecture can be sensitive—even with no passwords leaked.

Fixed in: Appsmith 1.51

- Recommended Action: Upgrade immediately if you allow others as “App Viewer” in any workspace.

Or, restrict invitation of viewers on critical workspaces.

If you cannot update soon, monitor your API logs for “App Viewer” roles using the /datasources endpoint.

References

- Original Security Advisory (Github PR #29780)
- Official Release Notes for 1.51.
- CVE-2024-55965 Entry at NVD
- Appsmith Documentation: User Roles

Closing Advice

CVE-2024-55965 is a reminder: even non-secret “dev” information can be valuable to attackers. Always apply the principle of least privilege—especially for new SaaS/open-source business tools.

Timeline

Published on: 03/26/2025 21:15:23 UTC
Last modified on: 03/27/2025 16:45:27 UTC