PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45715 Budibase CVE debrief

Budibase versions prior to 3.38.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the REST datasource integration. The application follows HTTP redirects without re-validating the destination IP address against the configured blacklist, enabling an authenticated Builder to access internal services—including cloud metadata endpoints and databases—by redirecting requests through an attacker-controlled server. The vulnerability stems from insufficient validation during the redirect handling in packages/server/src/integrations/rest.ts. This is classified as CWE-918 (Server-Side Request Forgery). The issue was disclosed on 2026-05-27 and is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Budibase
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-28
Advisory published
2026-05-27
Advisory updated
2026-05-28

Who should care

Organizations running Budibase prior to 3.38.1 with Builder users who may configure REST datasources; security teams monitoring for SSRF vulnerabilities in low-code platforms; cloud infrastructure administrators concerned about metadata service exposure.

Technical summary

The Budibase REST datasource integration (packages/server/src/integrations/rest.ts) fails to re-validate destination IP addresses against the configured blacklist when following HTTP redirects. An authenticated Builder can exploit this by configuring a REST datasource with an attacker-controlled external URL that returns an HTTP redirect response to an internal service (e.g., 169.254.169.254 for cloud metadata, or internal database endpoints). The application follows the redirect and returns the response to the attacker, achieving SSRF. The vulnerability requires low privileges (Builder role) and no user interaction. Scope is changed due to the impact on internal services. The fix in version 3.38.1 ensures IP blacklist validation occurs after each redirect hop.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Budibase to version 3.38.1 or later to remediate the SSRF vulnerability in the REST datasource integration.
  • Review and audit REST datasource configurations for unauthorized internal network access attempts.
  • Implement network segmentation to restrict Budibase server access to sensitive internal services such as cloud metadata endpoints and databases.
  • Monitor application logs for anomalous outbound HTTP requests, particularly those following redirect chains to internal IP ranges.
  • Validate that existing IP blacklist configurations are enforced at each stage of HTTP request processing, including after redirect responses.

Evidence notes

Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-fgqv-jh4g-pvg2 and Budibase release 3.38.1. CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and high confidentiality impact.

Official resources

2026-05-27