A critical flaw in Appsmith, tracked as CVE-2026-24042 with a CVSS score of 9.4, has been disclosed, potentially exposing unpublished logic and sensitive development data. The vulnerability centres on a viewMode confusion error, where publicly accessible apps can allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute.
By manipulating a web request, an unauthenticated user could bypass the intended publish boundary and run code meant for development or testing. The impact includes unauthorized execution of edit-mode queries and APIs, data leakage of hidden unpublished actions, and unintended write access to development data sources.
The issue specifically affects applications that are published and made public, with users of Appsmith v1.94 identified as vulnerable; a patch has been released and users are advised to upgrade to version v1.95 or later. This story was published on 23 January 2026.