PatchSiren cyber security CVE debrief
CVE-2026-48128 Budibase CVE debrief
CVE-2026-48128 is a server-side request forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The issue exists in the executeQuery automation step prior to version 3.39.0. The automation step accepts a queryId from user-controlled inputs and passes it directly to the query execution controller without validation. When a REST datasource is configured to target internal infrastructure, this allows an attacker with high privileges to cause the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output returns the response, potentially exposing data from internal services. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required user interaction, and high privileges required, with low confidentiality impact to the vulnerable system and low confidentiality impact to subsequent systems. The vulnerability was fixed in Budibase version 3.39.0.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase versions prior to 3.39.0 with REST datasources configured for internal infrastructure; security teams responsible for low-code platform governance; DevOps engineers managing Budibase deployments with automation workflows; network security teams monitoring for SSRF attack patterns
Technical summary
The executeQuery automation step in Budibase versions prior to 3.39.0 fails to validate the queryId parameter before passing it to the query execution controller. This validation gap, combined with REST datasources configured for internal targets, creates an SSRF vector. An authenticated attacker with high privileges can manipulate the queryId to cause the Budibase server to issue HTTP requests to arbitrary destinations, including internal services. The server returns the response through automation output, potentially exfiltrating data from internal systems. The vulnerability requires high privileges and network access but no user interaction.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade Budibase to version 3.39.0 or later to remediate this vulnerability
- Review REST datasource configurations to ensure they do not target sensitive internal infrastructure
- Audit automation configurations for unauthorized or suspicious query definitions
- Implement network segmentation to restrict Budibase server outbound connectivity to internal services
- Monitor automation execution logs for anomalous query patterns or unexpected external requests
- Apply principle of least privilege to Budibase user accounts with automation configuration access
Evidence notes
The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-27. The fix version 3.39.0 and technical details regarding the executeQuery automation step are derived from the CVE description. The CVSS 4.0 vector and CWE-918 classification are present in the NVD source metadata. The GitHub Security Advisory (GHSA-6964-pp88-6wp9) is referenced as the primary source in the NVD record.
Official resources
-
CVE-2026-48128 CVE record
CVE.org
-
CVE-2026-48128 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27