Appsmith vs HashiCorp
Side-by-side trajectory, velocity, and editorial themes.
Appsmith spent six months in a sustained security-patch cycle, capped by a release with 15+ named advisories.
Appsmith's recent release stream is dominated by security work. v1.99 alone landed roughly fifteen security-tagged fixes — multiple named GHSAs (super-user race condition, SSRF via send-test-email, OAuth2 callback ACL bypass, application snapshot delete permission, expanded metadata denylist), critical CVE patches (CVE-2025-70952, CVE-2026-33937 in handlebars, CVE-2026-22732 around Spring Security headers), AQL injection prevention in the ArangoDB plugin, and several reflected XSS and email-normalization fixes. The same pattern repeats in v1.98 (SQL injection in UQI filters, simple-git critical CVE), v1.96 (arbitrary file write outside repo scope, OS command injection in in-memory Git, XSS in Table HTML cells), and earlier. Feature work continues alongside but at a much smaller volume — Redis TLS, BetterBugs SDK, Favorite Applications V2, Helm extraVolumes.
The arc is clear: Appsmith is absorbing the output of what looks like a sustained external audit (or several converging ones) and using minor releases as the patch vehicle. The diversity of vuln classes across the ArangoDB plugin, Spring Security headers, OAuth2 callback, in-memory Git, snapshot deletion permissions, and metadata denylist points to a broad-surface review rather than a single component. Feature work isn't stalled, but it's clearly running second to the security queue.
Expect at least one or two more 1.9x releases to keep landing security patches before a 2.0 line emerges. Watch for a release that bundles fewer security items than features — that's the signal the audit cycle has caught up. Likely product-side bets are continued data-source TLS coverage and more granular permission scoping (the GHSAs around snapshots and OAuth2 lookup suggest the permission model is being tightened systematically).
HashiCorp under IBM is doubling down on agentic IAM and enterprise-scale Terraform.
Now branded 'IBM Vault' in places, HashiCorp is rolling out its post-acquisition strategy on two fronts: native identity management for AI agents in Vault, and a coordinated Terraform refresh spanning 1.15, Enterprise 2.0, and Infragraph-powered HCP in public preview. Recent capability adds across Vault (envelope encryption for streaming workloads, Azure hub-and-spoke GA) and Terraform (cost visibility, project-level notifications) progress the existing surface while the strategic bets ship in parallel.
Two arcs are clearly pulling: Vault is repositioning as the identity plane for the AI-agent era — issuing, delegating, and tracing credentials for non-human actors — and Terraform is being reorganized around enterprise-scale governance with a single-source-of-truth graph (Infragraph) underneath HCP. The 'AI operating model' marketing layer signals that IBM and HashiCorp are telling enterprise buyers AI is now an operations problem, not an experimentation problem, and HashiCorp is the substrate to operationalize it on.
The AI-agent IAM story is the one to expand fastest — agent-policy primitives, OIDC-for-agents, tighter integration with Vault Secrets Operator and Boundary. On the Terraform side, Infragraph graduating from public preview is the next milestone to watch, and likely the moment 'HCP Terraform powered by Infragraph' replaces classic HCP Terraform as the default.
See more alternatives to Appsmith →
See more alternatives to HashiCorp →