PatchSiren cyber security CVE debrief
CVE-2026-48148 Budibase CVE debrief
## Summary Budibase versions prior to 3.35.3 contain a server-side request forgery (SSRF) vulnerability in the VectorDB configuration endpoint. The endpoint accepts a host parameter without validation against internal IP ranges, reserved hostnames, or URL schemes. An authenticated user with builder-level access can supply arbitrary host values—including cloud metadata endpoints (169.254.169.254) or localhost—causing the server to initiate outbound TCP connections to internal network addresses on the attacker's behalf. ## Technical Details The vulnerability exists in Budibase's VectorDB configuration functionality. The affected endpoint processes a host parameter that undergoes no validation against: - Internal IP ranges (RFC 1918, RFC 6598) - Reserved hostnames (localhost, loopback addresses) - URL scheme restrictions This allows attackers with builder-level privileges to coerce the Budibase server into making requests to internal infrastructure, potentially accessing cloud metadata services, internal APIs, or other restricted network resources. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and low confidentiality impact to the vulnerable system with low subsequent confidentiality impact. ## Affected Versions - Budibase versions prior to 3.35.3 ## Fixed Versions - Budibase 3.35.3 and later ## Recommended Actions 1. **Upgrade immediately** to Budibase 3.35.3 or later to obtain the fix for this SSRF vulnerability. 2. **Review access controls** to ensure builder-level permissions are granted only to trusted users, as this vulnerability requires authenticated builder access to exploit. 3. **Monitor network egress** from Budibase servers for unexpected outbound connections to internal addresses or cloud metadata endpoints (169.254.169.254). 4. **Implement network segmentation** to restrict Budibase server access to sensitive internal resources and cloud metadata services where possible. 5. **Audit VectorDB configurations** for any unauthorized or suspicious host entries that may indicate prior exploitation attempts.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase self-hosted instances with multiple users, particularly those where builder-level access is distributed beyond core administrative teams. Cloud deployments where Budibase servers have access to instance metadata services are at elevated risk.
Technical summary
SSRF in Budibase VectorDB config allows authenticated builders to force server connections to internal IPs/cloud metadata endpoints via unvalidated host parameter. Fixed in 3.35.3.
Defensive priority
high
Recommended defensive actions
- Upgrade to Budibase 3.35.3 or later
- Restrict builder-level access to trusted users only
- Monitor outbound connections from Budibase servers for suspicious internal or metadata service traffic
- Implement network segmentation to limit server access to internal resources
- Audit existing VectorDB configurations for unauthorized host entries
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory. CVSS 4.0 vector and CWE-918 classification sourced from NVD record. Timeline dates derived from CVE published and modified timestamps.
Official resources
-
CVE-2026-48148 CVE record
CVE.org
-
CVE-2026-48148 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27