PatchSiren cyber security CVE debrief
CVE-2026-48146 Budibase CVE debrief
CVE-2026-48146 is a Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The flaw exists in the OAuth2 token fetch function located in `packages/server/src/sdk/workspace/oauth2/utils.ts` prior to version 3.39.0. The vulnerable code uses a raw `fetch(config.url)` call without SSRF protection, despite the existence of a `fetchWithBlacklist()` wrapper elsewhere in the codebase that is properly applied to other outbound HTTP operations including automation steps, plugin downloads, and object store interactions. A user with BUILDER role privileges can exploit this by configuring the OAuth2 token URL to point to internal services such as CouchDB or cloud metadata endpoints, enabling unauthorized data exfiltration. The vulnerability was assigned CVSS 3.1 score 7.7 (HIGH severity) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating network attack vector, low complexity, low privileges required, no user interaction, changed scope, and high confidentiality impact. The weakness is classified as CWE-918 (Server-Side Request Forgery). Budibase addressed this issue in version 3.39.0 by applying appropriate SSRF protections to the OAuth2 token endpoint.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase self-hosted instances with BUILDER role users, particularly those with multi-tenant deployments or strict network segmentation requirements. Security teams monitoring for SSRF attack vectors in low-code/no-code platforms. DevOps engineers responsible for Budibase infrastructure hardening.
Technical summary
The Budibase platform's OAuth2 implementation prior to 3.39.0 contains an SSRF vulnerability where the token fetch utility performs unvalidated outbound HTTP requests. The `fetchWithBlacklist()` protective wrapper, used elsewhere in the codebase for automation steps and plugin downloads, was not applied to this specific code path. BUILDER role users can manipulate the OAuth2 token URL configuration to target internal infrastructure, including cloud metadata services and database endpoints, resulting in unauthorized information disclosure. The fix in 3.39.0 applies consistent SSRF protection to the OAuth2 token endpoint.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Budibase to version 3.39.0 or later to obtain the SSRF protection fix for the OAuth2 token endpoint
- Review OAuth2 configurations for any unauthorized or suspicious token URL endpoints that may have been configured by BUILDER role users
- Audit access logs for outbound HTTP requests from the Budibase server to internal services, particularly around OAuth2 token fetch operations
- Verify that the fetchWithBlacklist() wrapper or equivalent SSRF protection is applied consistently across all outbound HTTP calls in custom deployments
- Restrict BUILDER role permissions where possible, or implement additional approval workflows for OAuth2 configuration changes
- Monitor for anomalous DNS resolutions or HTTP requests to internal IP ranges, cloud metadata endpoints (169.254.169.254), or database services from Budibase application servers
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-g6qx-g4pr-92v7. CVSS vector and CWE classification sourced from NVD record. Timeline dates derived from CVE published and modified timestamps.
Official resources
-
CVE-2026-48146 CVE record
CVE.org
-
CVE-2026-48146 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27