## Appsmith OpenAPI Documentation Exposed to Unauthenticated Users Before Security Patch
Appsmith shipped a security fix addressing an information disclosure vulnerability that allowed any unauthenticated network user to access complete OpenAPI documentation for the platform. The flaw, tracked as GHSA-v6jh-fx3m-7xhw, earned a CVSS score of 5.3 (medium) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). No CVE has been assigned yet.

The root cause involved the `/v3/**` path being included in the `permitAll()` block of `SecurityConfig.java`, making internal API documentation—including endpoint structures, request schemas, and data models—publicly accessible. The vulnerability lowered the barrier for reconnaissance by giving attackers a readymade blueprint of the application's architecture without needing to probe the system directly. A defense-in-depth layer was also added by disabling springdoc API docs and Swagger UI by default via `springdoc.api-docs.enabled=false` and `springdoc.swagger-ui.enabled=false` in `application-ce.properties`. Test coverage was implemented through `OpenApiDocsAuthTest`, which verifies that unauthenticated requests to `/v3/docs` and `/v3/swagger-ui.html` now return HTTP 401.

While the exposure did not grant direct access to protected data, API documentation of this depth can significantly accelerate targeted attacks by revealing internal service boundaries, authentication requirements, and potential misconfigurations. Organizations running affected versions of Appsmith should verify their deployments have applied the patch or implement compensating controls to restrict access to OpenAPI endpoints.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: appsmith, openapi-documentation, security-vulnerability, cwe-200, information-disclosure
- **Credibility**: unverified
- **Published**: 2026-05-13 07:48:29
- **ID**: 82521
- **URL**: https://whisperx.ai/en/intel/82521