Budibase, an open‑source low‑code platform, has a server‑side request forgery flaw in its executeQuery automation step. The step accepts a user‑controlled queryId, passes it directly to the query execution controller without validation, and when the associated REST datasource points to internal infrastructure the server performs outbound HTTP requests to attacker‑chosen destinations. The automation’s output then returns the remote response, allowing an attacker to exfiltrate internal service data. This vulnerability is a classic example of CWE‑918.

All Budibase releases prior to version 3.39.0 are impacted. The flaw resides in the automation executeQuery step located in Budibase servers that are configured with REST datasources capable of targeting internal networks. No specific operating system or deployment platform is mentioned, so any Budibase installation that exposes automation steps is susceptible.

The CVSS score of 5.1 marks this issue as moderate severity; the vulnerability was not included in the CISA KEV list and no EPSS score is available, indicating possibly lower exploitation likelihood. Exploitation requires the ability to trigger an automation step that uses a REST datasource. If an attacker can invoke the step—either through the Budibase web UI, API, or an automated workflow—he can specify arbitrary queryIds that resolve to internal URLs, coerce the server to fetch resources, and read sensitive responses. The impact is primarily data exposure from internal services, not remote code execution. Mitigating measures should therefore prioritize limiting automation execution rights or isolating the server from internal network ranges.