GHSA-9wcp-79g5-5c3c: Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators

June 12, 2026

The /api/v1/users/super endpoint enforces a restriction that only one super user (Instance Administrator) can be created during initial setup. However, due to a Time-of-Check-Time-of-Use (TOCTOU) race condition in the signupAndLoginSuper() method, concurrent requests can bypass this restriction, allowing multiple unauthorized users to obtain Instance Administrator privileges.

References

github.com/advisories/GHSA-9wcp-79g5-5c3c
github.com/appsmithorg/appsmith/releases/tag/v1.99
github.com/appsmithorg/appsmith/security/advisories/GHSA-9wcp-79g5-5c3c

Code Behaviors & Features

Detect and mitigate GHSA-9wcp-79g5-5c3c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →