Appsmith Origin Header Injection Account Takeover

Repository contains a PoC exploit and a Nuclei template for CVE-2026-22794 affecting Appsmith <= 1.92. The core issue is Origin header trust during password reset link generation: an unauthenticated attacker sends a forgot-password request with a spoofed Origin (attacker domain), causing the emailed reset link to point to attacker infrastructure; when the victim clicks, the reset token can be captured and used to reset the victim’s password (account takeover). Structure: - CVE-2026-22794.py: Python PoC with two modes. (1) --check: GET / and look for “Appsmith” in HTML and parseConfig('vX.Y') version parsing; flags vulnerable if version <= 1.92 or if version cannot be extracted but Appsmith is detected. (2) exploit: POST /api/v1/users/forgotPassword with JSON {email: <victim>} and Origin: https://<evil_domain>; reports success on 200/201/202 and “success” in body. - CVE-2026-22794.yaml: Nuclei template performing (a) GET /api/v1/users to fingerprint Appsmith and optionally extract X-Appsmith-Version, (b) POST /api/v1/users/forgotPassword with a fixed Origin (evil-attacker-domain.com) and test email to validate behavior, and (c) an OPTIONS preflight check looking for Access-Control-Allow-Origin reflecting/allowing the attacker domain or wildcard. - README.md: Detailed explanation, usage examples, and an attacker-side token capture example (index.php writing tokens.txt). Notable targeting/assumptions: - Requires exposed Appsmith HTTP(S) endpoint. - Full impact depends on outbound email being configured and victim interaction (clicking reset link).

Repository purpose: PoC/operational exploit for CVE-2026-22794 (Appsmith Origin header injection) enabling password reset link hijacking and account takeover. Structure: - exploit.py: Main Python exploit. Implements (a) a local HTTP listener (BaseHTTPRequestHandler) to capture reset tokens from victim clicks (parses query param `token`), logs requests, and appends tokens to `captured_tokens.txt`; (b) client-side routines (per README/CLI) to send a malicious password reset request to the target with a forged `Origin` header pointing to an attacker-controlled URL; and (c) a follow-on step to use a captured token to reset the password on the Appsmith instance. Also includes convenience output (colorama), threading to run the capture server, and CLI flags such as --target, --email, --attacker-url, --listen, --port, --check, and reset-token/new-password (as documented). - nuclei/CVE-2026-22794.yaml: Nuclei template for detection/fingerprinting. Checks `/api/v1/users` for Appsmith-like responses and optionally extracts `X-Appsmith-Version`. Sends a test POST to `/api/v1/users/forgotPassword` with a malicious Origin and matches on JSON success indicators; includes an OPTIONS-based CORS/Origin acceptance check. - docs/technical_analysis.md and README.md: Detailed explanation of root cause (trusting Origin to build reset URL), attack chain, and remediation guidance. - requirements.txt: requests, colorama, urllib3. Exploit capabilities: - Network-based unauthenticated trigger of password reset for an arbitrary email. - Origin header manipulation to cause Appsmith to generate reset links pointing to attacker infrastructure. - Token capture server that records tokens and client IPs and serves a benign-looking 503 page to reduce suspicion. - Post-capture account takeover by submitting the stolen token to the reset-password endpoint with a chosen new password. Notable targeting details: - Primary target endpoint: POST `/api/v1/users/forgotPassword` with attacker-controlled `Origin`. - Token exfiltration occurs when victim visits attacker URL path `/user/resetPassword?token=...`. - Follow-on action: POST `/api/v1/users/resetPassword` using the stolen token. Overall, this is an operational PoC (not a framework module) combining exploitation + token collection + password reset automation, plus a separate Nuclei detection template.