The vulnerable VectorDB configuration endpoint in Budibase allows an authenticated builder‑level user to supply an arbitrary host value that is not validated for internal IP ranges, reserved hostnames, or URL schemes. This omission effectively enables an attacker to trigger outbound TCP connections from the application server to any specified host, including internal network addresses such as 169.254.169.254 or localhost. The primary impact is server‑side request forgery (SSRF), potentially exposing internal services or cloud metadata to unauthorized users, thereby compromising confidentiality or enabling further lateral movement within the environment.

Budibase platform by Budibase, versions prior to 3.35.3. Any installation running an earlier release is susceptible, including self‑hosted or cloud deployments.

The CVSS score of 5.3 indicates a moderate severity, reflecting the need for authenticated access and the potential for internal network exploitation. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred: an authenticated user with builder privileges uploads a malicious host value through the VectorDB configuration interface, leading the back‑end to open connections to target hosts. While the exploit requires legitimate credentials, it can still be abused by compromised accounts or social engineering, and the lack of host validation provides a foothold for internal reconnaissance or data exfiltration.