CVE-2026-54353 Budibase CVE debrief

Who should care

Budibase users and administrators should be aware of this vulnerability and take immediate action to update to version 3.39.9. Additionally, defenders should monitor and restrict access to internal services. Security teams should review their inventory of Budibase instances and prioritize patching.

Technical summary

The vulnerability exists in the outbound fetch flow of Budibase, where the hostname is validated against the blacklist before the request is sent. However, the actual socket connection performs a separate DNS lookup through node-fetch, allowing an attacker to bypass the blacklist through DNS rebinding. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host.

Defensive priority

High priority should be given to patching Budibase instances to version 3.39.9. Defenders should also monitor and restrict access to internal services.

Recommended defensive actions

• Update Budibase to version 3.39.9
• Monitor and restrict access to internal services
• Review inventory of Budibase instances and prioritize patching
• Implement additional security measures to detect and prevent SSRF attacks
• Conduct regular security audits and vulnerability assessments

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its impact. The source item URL provides additional context on the vulnerability. The reference URL provides information on the fix and mitigation.

Official resources