Description
Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.
Published: 2026-06-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase, an open‑source low‑code platform, allows authenticated users with automation permissions to trigger an outbound fetch operation. During input validation, the hostname is checked against a blacklist, but the actual socket connection performs a separate DNS lookup via node-fetch. An attacker can use DNS rebinding to make the validated hostname resolve to a public IP during validation and to a private or internal IP during the real connection. This bypass turns the validation into a non‑blind SSRF primitive, enabling a malicious user to reach internal services such as loopback interfaces, RFC1918 ranges, or cloud metadata endpoints, potentially exposing sensitive data or allowing further internal attacks.

Affected Systems

Budibase Budibase platform versions earlier than 3.39.9 are vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 8.5 indicates a high‑severity vulnerability. Because the exploit requires an authenticated user with automation permissions and operates through DNS rebinding, the attack vector is relatively narrow but still feasible. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog, although its severity warrants immediate attention. Exploitation would allow a determined attacker to access internal resources reachable from the Budibase host.

Generated by OpenCVE AI on June 26, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.39.9 or later to apply the SSRF fix.
  • If an upgrade cannot be performed immediately, limit or remove automation permissions from all authenticated users until the patch is deployed.
  • Implement network segmentation or firewall controls to prevent outbound connections to internal IP ranges from the Budibase host.

Generated by OpenCVE AI on June 26, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfq7-5x4g-3xhf @budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.
Title Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation
Weaknesses CWE-367
CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}


Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T13:17:32.753Z

Reserved: 2026-06-12T19:23:22.317Z

Link: CVE-2026-54353

cve-icon Vulnrichment

Updated: 2026-06-29T13:17:10.309Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:30:03Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-918

    Server-Side Request Forgery (SSRF)