CVE-2026-48146 - Vulnerability Details

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0.

Published: 2026-05-27

Score: 7.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Budibase versions prior to 3.39.0 expose the OAuth2 token fetch function to SSRF attacks because the code uses raw fetch calls without the recommended fetchWithBlacklist protection. A user who has the BUILDER role can configure the OAuth2 token URL to point to internal services such as CouchDB or cloud metadata endpoints. When the platform later requests the token, the request is sent from the Budibase server to the specified internal service, allowing the attacker to read sensitive configuration data or other internal resources.

Affected Systems

The affected product is Budibase itself. All deployments running any version earlier than 3.39.0 are vulnerable. The vulnerability specifically impacts users who can modify OAuth2 configuration and have the BUILDER role authorization.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity vulnerability. Although the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, the potential for internal data theft remains significant. The likely attack vector is a legitimate client with BUILDER privileges who configures a malicious OAuth2 token URL; the vulnerability does not require external network access beyond normal operation of the Budibase instance, but it can be leveraged to exfiltrate internal data from the environment where Budibase is hosted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.39.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Budibase to version 3.39.0 or newer to apply the fix that correctly wraps the OAuth2 token request with fetchWithBlacklist.
If an upgrade cannot be performed immediately, restrict the BUILDER role so that only trusted administrators can modify OAuth2 configurations, or remove the ability to set the OAuth2 token URL entirely.
Configure a network firewall or internal DNS policy to prevent the Budibase server from resolving or accessing internal service URLs that should not be reachable from outbound connections.

Generated by OpenCVE AI on May 27, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Budibase/budibase/security/advisories/GHSA-g6qx-g4pr-92v7

History

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0.
Title		Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
Weaknesses		CWE-918
References		https://github.com/Budibase/budibase/security/advisories/GHSA-g6qx-g4pr-92v7
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T17:00:25.739Z

Updated: 2026-05-27T17:00:25.739Z

Reserved: 2026-05-20T23:12:43.030Z

Link: CVE-2026-48146

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-27T18:16:26.933

Modified: 2026-05-27T19:44:35.987

Link: CVE-2026-48146

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object