Description
Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. This vulnerability is fixed in 3.38.1.
Published: 2026-05-27
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase, prior to version 3.38.1, contained an SSRF bypass in the REST datasource integration that ignored the IP blacklist after following HTTP redirects. An authenticated Builder can supply a REST datasource URL pointing to an attacker‑controlled server that redirects to an internal service, allowing that user to reach cloud metadata, databases, or other internal endpoints that should have been inaccessible. This flaw permits confidentiality exposure and the potential for further internal network compromise.

Affected Systems

Budibase, all releases before 3.38.1, including the server package that performs REST integration without re‑checking the blacklist after a redirect.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. EPSS data is not available, but the exploit requires only an authenticated Builder account and an attacker‑controlled redirect server, making it a realistic threat for organizations with such users. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the SSRF by creating a malicious REST datasource, resulting in internal resource exposure and potential lateral movement.

Generated by OpenCVE AI on May 27, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.38.1 or later to restore proper IP blacklist checks after HTTP redirects.
  • Audit REST datasource configurations to ensure that redirects are not allowed to internal IP ranges, and apply network segmentation or firewall rules to block unintended internal traffic.
  • Re‑evaluate the Builder role permissions; consider restricting the ability to create or modify REST datasources when the update cannot be applied immediately.

Generated by OpenCVE AI on May 27, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fgqv-jh4g-pvg2 Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
History

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. This vulnerability is fixed in 3.38.1.
Title Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:02:17.420Z

Reserved: 2026-05-13T05:51:48.666Z

Link: CVE-2026-45715

cve-icon Vulnrichment

Updated: 2026-05-28T14:02:07.082Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:25.340

Modified: 2026-05-28T14:16:22.477

Link: CVE-2026-45715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:15:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)