Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted outbound network access via SSRF
Action: Immediate Patch
AI Analysis

Impact

A flaw in Budibase's REST connector allows an attacker to direct the server to send requests to arbitrary URLs, bypassing the intended IP blacklist protection. The vulnerability results from an empty default blacklist environment variable, causing the SSRF guard to always return false and permitting unrestricted outbound traffic. The flaw is essentially a failure of a defensive filter that should reject or limit external requests.

Affected Systems

All Budibase installations running versions earlier than 3.33.4 are affected, regardless of deployment mode or configuration. The issue affects every deployment setup that relies on Budibase's REST datasource connector, since the BLACKLIST_IPS variable is missing from the official deployment definitions.

Risk and Exploitability

The CVSS score of 9.6 denotes a severe vulnerability capable of remote code execution or data exfiltration. EPSS is below 1%, indicating a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred as interaction with the exposed REST API, which may be reachable by authenticated or unauthenticated users depending on the network configuration, and leveraging the bypassed SSRF checks.

Generated by OpenCVE AI on April 8, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.33.4 or later to apply the SSRF fix. If immediate upgrade is not possible, configure the BLACKLIST_IPS environment variable with a non‑empty list of IP ranges to re‑enable SSRF filtering and restart the service. Verify that the environment variable is present in all deployment configurations and that outbound requests are now restricted.

Generated by OpenCVE AI on April 8, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7r9j-r86q-7g45 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
History

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
Title Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Weaknesses CWE-1188
CWE-918
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T20:04:33.012Z

Reserved: 2026-03-09T17:41:56.076Z

Link: CVE-2026-31818

cve-icon Vulnrichment

Updated: 2026-04-03T20:04:28.809Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:39.800

Modified: 2026-04-08T21:19:30.370

Link: CVE-2026-31818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:13Z

Weaknesses