Description
Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes this check. The URL then proceeds directly to fetchWithBlacklist() with no further validation of host, scheme, or path. Standalone, this vulnerability is blocked by Budibase's default SSRF blacklist, which covers private IP ranges. But the URL validation layer itself is broken regardless, and it directly enables SSRF in two realistic situations: (1) when chained with the BLACKLIST_IPS bypass ([001]), where the blacklist is empty; and (2) when the plugin server follows HTTP redirects from an external URL to an internal target (the default node-fetch behavior with redirect: 'follow'). This vulnerability is fixed in 3.35.10.
Published: 2026-05-27
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase’s plugin upload endpoint (/api/plugin) accepts any URL that contains the substring ".tar.gz", after which it fetches the URL without further host or path validation. Because the server can be instructed to follow HTTP redirects, an attacker can supply a crafted URL that redirects to an internal address, thereby bypassing the default blacklist of private IP ranges or exploiting an empty blacklist. This flaw constitutes a server‑side request forgery (CWE‑918) that permits the attacker to force the Budibase instance to resolve and access arbitrary internal resources.

Affected Systems

Any Budibase deployment running a version earlier than 3.35.10 is affected. The vulnerability resides in the /api/plugin endpoint used for uploading plugin packages, and the impact is independent of custom blacklist configurations.

Risk and Exploitability

The CVSS score of 7.7 classifies the vulnerability as high severity. No EPSS value is available, so the current likelihood of exploitation is unknown, and the flaw is not listed in the CISA KEV catalog, indicating no confirmed exploitation events. Nonetheless, a publicly exposed Budibase instance that accepts external plugin URLs offers an attacker a straightforward path to trigger SSRF by sending a URL containing ".tar.gz" and redirecting to an internal target. The combination of high impact and the possibility of bypassing the SSRF blocker results in a considerable risk for affected installations.

Generated by OpenCVE AI on May 27, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.35.10 or newer, which replaces the substring check with a proper .tar.gz path validation.
  • Ensure the SSRF blacklist is populated; if it has been emptied, restore the default private‑IP ranges to maintain the basic protection mechanism.
  • If immediate upgrade is not possible, disable the /api/plugin endpoint or block outbound connections from Budibase to external hosts until the fix can be applied.

Generated by OpenCVE AI on May 27, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh5j-727m-w6gg Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)
History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes this check. The URL then proceeds directly to fetchWithBlacklist() with no further validation of host, scheme, or path. Standalone, this vulnerability is blocked by Budibase's default SSRF blacklist, which covers private IP ranges. But the URL validation layer itself is broken regardless, and it directly enables SSRF in two realistic situations: (1) when chained with the BLACKLIST_IPS bypass ([001]), where the blacklist is empty; and (2) when the plugin server follows HTTP redirects from an external URL to an internal target (the default node-fetch behavior with redirect: 'follow'). This vulnerability is fixed in 3.35.10.
Title Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T16:50:57.549Z

Reserved: 2026-05-08T18:45:10.095Z

Link: CVE-2026-45061

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:24.293

Modified: 2026-05-27T19:45:41.590

Link: CVE-2026-45061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses