PatchSiren cyber security CVE debrief
CVE-2026-48153 Budibase CVE debrief
A Server-Side Request Forgery (SSRF) vulnerability exists in Budibase's OAuth2 SDK prior to version 3.39.0. The `fetchToken` function makes POST requests to builder-supplied URLs using plain `node-fetch` without applying the `blacklist.isBlacklisted` check that protects other outbound fetch paths in the codebase. Additionally, the Joi schema for OAuth2 URLs lacks scheme or host restrictions, allowing attackers to supply arbitrary URLs including internal services. This enables authenticated attackers to make requests to internal network resources that would otherwise be blocked by the application's URL blacklist. The vulnerability is classified as CWE-918 (Server-Side Request Forgery).
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase versions prior to 3.39.0, particularly those with multi-tenant deployments or instances accessible to untrusted users who can configure OAuth2 integrations. Security teams concerned with SSRF vulnerabilities in low-code platforms and supply chain risks from open-source development tools.
Technical summary
The Budibase OAuth2 SDK's `fetchToken` function in versions prior to 3.39.0 bypasses the application's URL blacklist protection mechanism. While other outbound fetch operations in Budibase validate URLs against `blacklist.isBlacklisted`, the OAuth2 token fetch path uses raw `node-fetch` without this check. Combined with permissive Joi schema validation that imposes no restrictions on URL scheme or host, this allows authenticated users to configure OAuth2 integrations that target arbitrary URLs including internal services, cloud metadata endpoints, and other restricted destinations. The vulnerability represents a partial SSRF vector with high confidentiality impact due to potential access to internal APIs and services.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Budibase to version 3.39.0 or later to obtain the fix for the missing blacklist validation in OAuth2 token fetching
- Review OAuth2 configuration URLs in existing Budibase deployments for any suspicious or unexpected endpoints that may have been configured by malicious actors
- Audit application logs for unusual outbound requests from Budibase instances, particularly POST requests to internal IP ranges or metadata endpoints
- Implement network segmentation to restrict Budibase application server egress to only necessary external services
- Consider implementing additional SSRF protections at the infrastructure level, such as egress filtering and DNS rebinding protections
- Review custom Budibase plugins or extensions that may implement similar OAuth2 flows to ensure they apply appropriate URL validation
Evidence notes
The vulnerability was disclosed via GitHub Security Advisory GHSA-4q6h-8p4v-67vq. The fix in version 3.39.0 adds the missing blacklist check to the OAuth2 token fetch path. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, high confidentiality impact, low integrity impact, and no availability impact.
Official resources
-
CVE-2026-48153 CVE record
CVE.org
-
CVE-2026-48153 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27