Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: Server Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The Budibase low‑code platform allows a server‑side request forgery through its REST datasource connector when the environment variable controlling IP blacklisting is unset. This removes the protection layer and permits an attacker to cause the server to make arbitrary outbound HTTP requests. The weakness is identified as CWE‑918 and CWE‑1188, meaning an attacker can force the application to reach internal or external resources that should be inaccessible, potentially exposing sensitive information or enabling lateral movement.

Affected Systems

Any installation of Budibase older than version 3.33.4 is affected. The vulnerability resides in the REST connector component of the platform, regardless of deployment method, because the default configuration does not assign the BLACKLIST_IPS variable.

Risk and Exploitability

The CVSS score is 9.6, indicating critical severity. There is no EPSS value or KEV listing, but the lack of active protection makes exploitation straightforward once the attacker can invoke the REST connector, typically via authenticated or unauthenticated user access. The attack path relies on constructing a request to the connector with a target URL; with the blacklist check bypassed, the request proceeds unfiltered. The risk remains high until the patch or a workaround is applied.

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.33.4 or later to apply the official patch
  • If an upgrade cannot be performed immediately, set the BLACKLIST_IPS environment variable to a list of allowed IP ranges to re‑enable SSRF protection
  • If environment variables cannot be configured, disable the REST connector or restrict its use to trusted users only
  • Verify that no other vulnerable components remain in the deployment

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7r9j-r86q-7g45 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
Title Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Weaknesses CWE-1188
CWE-918
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T20:04:33.012Z

Reserved: 2026-03-09T17:41:56.076Z

Link: CVE-2026-31818

cve-icon Vulnrichment

Updated: 2026-04-03T20:04:28.809Z

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:39.800

Modified: 2026-04-03T16:16:39.800

Link: CVE-2026-31818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:14Z

Weaknesses