PatchSiren cyber security CVE debrief
CVE-2026-45061 Budibase CVE debrief
CVE-2026-45061 is a high-severity (CVSS 7.7) Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The flaw exists in the Plugin URL upload endpoint (POST /api/plugin) prior to version 3.35.10. The endpoint performs insufficient URL validation using only a substring check for `.tar.gz`, which can appear anywhere in the URL string—including query parameters or fragments—to satisfy the check. This allows attackers to supply malicious URLs that bypass the superficial validation. While Budibase's default SSRF blacklist normally blocks private IP ranges, this vulnerability enables SSRF in two scenarios: when chained with a BLACKLIST_IPS bypass (where the blacklist is empty), or when the plugin server follows HTTP redirects from an external URL to an internal target due to default node-fetch behavior with `redirect: 'follow'`. The vulnerability is classified as CWE-918 (Server-Side Request Forgery).
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase instances prior to 3.35.10, particularly those with self-hosted deployments where BLACKLIST_IPS may be misconfigured. Security teams responsible for low-code/no-code platform governance, infrastructure teams managing Budibase deployments, and developers building plugins for Budibase environments should prioritize this patch. Organizations with strict network segmentation requirements or compliance obligations around SSRF prevention should assess exposure immediately.
Technical summary
The Budibase Plugin URL upload endpoint (POST /api/plugin) in versions prior to 3.35.10 uses a flawed validation mechanism that checks only for the substring `.tar.gz` anywhere in the URL. This insufficient validation allows attackers to craft URLs that pass the check while targeting arbitrary hosts. The vulnerability becomes exploitable for SSRF when: (1) the BLACKLIST_IPS environment variable is empty, removing the default private IP protection; or (2) the server follows HTTP redirects from an allowed external host to an internal target. The underlying issue is CWE-918 (Server-Side Request Forgery) with a CVSS 3.1 score of 7.7 (HIGH severity). The fix in version 3.35.10 addresses the validation logic.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Budibase to version 3.35.10 or later to remediate this vulnerability.
- Review and validate that the BLACKLIST_IPS environment variable is properly configured and not empty, as an empty blacklist enables direct SSRF exploitation.
- Implement network segmentation to restrict Budibase server access to internal infrastructure, reducing blast radius if SSRF is exploited.
- Monitor for anomalous outbound HTTP requests from Budibase servers, particularly requests to internal IP ranges or unexpected external destinations.
- Consider implementing additional URL validation at the network or application layer, including strict allowlisting of permitted plugin source domains.
- Audit plugin installation activity for suspicious URL patterns containing `.tar.gz` in query parameters or fragments prior to the fix date.
Evidence notes
The CVE description and NVD source confirm the vulnerability affects Budibase versions prior to 3.35.10. The GitHub Security Advisory (GHSA-xh5j-727m-w6gg) provides authoritative vendor disclosure. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.
Official resources
-
CVE-2026-45061 CVE record
CVE.org
-
CVE-2026-45061 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27