{"id":"CVE-2024-55604","summary":"Appsmith's Broken Access Control Allows Viewer Role User to Query Datasources","details":"Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as \"App Viewer\" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers are able to get a list of datasources in a workspace they're a member of. This information disclosure does NOT expose sensitive data in the datasources, such as database passwords and API Keys. The attacker needs to have been invited to a workspace as a \"viewer\", by someone in that workspace with access to invite. The attacker then needs to be able to signup/login to that Appsmith instance. The issue is patched in version 1.51. No known workarounds are available.","aliases":["BIT-appsmith-2024-55604","BIT-appsmith-2024-55965","CVE-2024-55965","GHSA-794x-gm8v-2wj6"],"modified":"2026-05-28T03:55:08.869464428Z","published":"2025-03-25T14:15:05.339Z","database_specific":{"cwe_ids":["CWE-280"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55604.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55604.json"},{"type":"ADVISORY","url":"https://github.com/appsmithorg/appsmith/security/advisories/GHSA-794x-gm8v-2wj6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55604"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/appsmithorg/appsmith","events":[{"introduced":"0"},{"fixed":"7930bec9f6f8dc2d2707c68250f4481d37c2571b"}]}],"versions":["v1.49","v1.48","v1.50","v1.47","v1.46","v1.45","v1.44","v1.43","v1.42","v1.41","v1.40","v1.39","v1.38.1","v1.38","v1.37","v1.36","v1.35","v1.34","v1.33","v1.32","v1.31","v1.30","v1.29","v1.28","v1.27","v1.26","v1.25","v1.24","v1.23","v1.22.1","V1.22","v1.21","v1.20","v1.19","v1.18","v1.17","v1.16","v1.15","v1.14","v1.13","v1.12","v1.11","v1.10","v1.9.61","v1.9.60","v1.9.58","v1.9.57","v1.9.56","v1.9.55","v1.9.54","v1.9.53","v1.9.52","v1.9.51","v1.9.50","v1.9.49","v1.9.48","v1.9.47","v1.9.46","v1.9.45","v1.9.44","v1.9.43","v1.9.42","v1.9.41","v1.9.40","v1.9.39","v1.9.38","v1.9.37.1","v1.9.37","v1.9.36","v1.9.35","v1.9.34","v1.9.33","v1.9.32","v1.9.31","v1.9.30","v1.9.29","v1.9.28","v1.9.27","v1.9.26","v1.9.25","v1.9.24","v1.9.23","v1.9.22","v1.9.21","v1.9.20.4","v1.9.20.3","v1.9.20.2","v1.9.20","v1.9.19","v1.9.18","v1.9.17","v1.9.16","v1.9.15","v1.9.14","v1.9.13","v1.9.12","v1.9.11","v1.9.10","v1.9.9","v1.9.8","v1.9.7","v1.9.6","v1.9.5","v1.9.4","v1.9.3.1","v1.9.3","v1.9.2","v1.9.1","v1.9.0","v1.8.15","v1.8.14.1","v1.8.14","v1.8.13","v1.8.12","v1.8.11","v1.8.10","v1.8.9","v1.8.8","v1.8.7","v1.8.6","v1.7.11","v1.8.5","v1.8.4","v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.14","v1.7.13","v1.7.12","v1.7.10","v1.7.9","v1.7.8","v1.7.7","v1.7.6","v1.7.5","v1.7.4","v1.7.1","v1.7.0","v.1.6.25","v.1.6.23","v1.6.21","v1.6.20","v1.6.19","v1.6.18","v1.6.17","v1.6.16","v1.6.15","v1.6.14","v1.6.13","v1.6.12","v1.6.11","v1.6.10","v1.6.9","v1.6.8","v1.6.7","v1.6.6","v1.6.5","v1.6.4","v1.6.3","v1.5.17","v1.4.4","v1.4.3","v1.2.16","v1.2.4","v1.2.2","v1.2.1","v1.2","v1.1","v1.0.2","v1.0.1","v1.0","v1.0-beta.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-55604.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}