Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side request forgery enabling reconnaissance and credential theft
Action: Limit privileged access
AI Analysis

Impact

An administrator level privilege is enough to trigger the vulnerability through the REST datasource query preview endpoint. The endpoint accepts any URL directly, so an attacker directs the Budibase backend to issue requests to arbitrary addresses. This allows the server to contact internal network resources, such as cloud metadata services, databases, Kubernetes APIs, or other pods, bypassing external access restrictions.

Affected Systems

Budibase, a low‑code platform for building internal tools, is affected. The flaw exists in all releases through version 3.30.6 and earlier. The specific component is the POST /api/queries/preview API, which improperly validates user supplied URLs.

Risk and Exploitability

The vulnerability receives a high severity score of 8.7, indicating a serious risk. The estimated likelihood of public exploitation is low, with a probability below one percent. It is not present in the national catalog of most actively exploited vulnerabilities. Successful exploitation requires administrative credentials; once authenticated, the attacker can use the open‑ended request to move laterally or compromise cloud resources.

Generated by OpenCVE AI on March 23, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict administrative access to the REST datasource query preview endpoint to trusted users only
  • Configure Budibase to allow outbound HTTP requests only to approved domains or IP ranges
  • Separate the Budibase deployment from sensitive internal services such as metadata endpoints and internal databases
  • Monitor Budibase logs for unusual outbound requests to internal resources and investigate promptly
  • Check the vendor’s website regularly for an update that addresses the SSRF issue

Generated by OpenCVE AI on March 23, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4647-wpjq-hh7f Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview
History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches.
Title Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T16:48:16.745Z

Reserved: 2026-03-17T23:23:58.315Z

Link: CVE-2026-33226

cve-icon Vulnrichment

Updated: 2026-03-23T16:48:12.269Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:46.333

Modified: 2026-03-23T19:14:07.133

Link: CVE-2026-33226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:54Z

Weaknesses