CVE-2026-54353 - Vulnerability Details

Description

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.

Published: 2026-06-26

Score: 8.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Budibase, an open‑source low‑code platform, allows authenticated users with automation permissions to trigger an outbound fetch operation. During input validation, the hostname is checked against a blacklist, but the actual socket connection performs a separate DNS lookup via node-fetch. An attacker can use DNS rebinding to make the validated hostname resolve to a public IP during validation and to a private or internal IP during the real connection. This bypass turns the validation into a non‑blind SSRF primitive, enabling a malicious user to reach internal services such as loopback interfaces, RFC1918 ranges, or cloud metadata endpoints, potentially exposing sensitive data or allowing further internal attacks.

Affected Systems

Budibase Budibase platform versions earlier than 3.39.9 are vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 8.5 indicates a high‑severity vulnerability. Because the exploit requires an authenticated user with automation permissions and operates through DNS rebinding, the attack vector is relatively narrow but still feasible. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog, although its severity warrants immediate attention. Exploitation would allow a determined attacker to access internal resources reachable from the Budibase host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.39.9`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Budibase to version 3.39.9 or later to apply the SSRF fix.
If an upgrade cannot be performed immediately, limit or remove automation permissions from all authenticated users until the patch is deployed.
Implement network segmentation or firewall controls to prevent outbound connections to internal IP ranges from the Budibase host.

Generated by OpenCVE AI on June 26, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-gfq7-5x4g-3xhf	@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Budibase/budibase/security/advisories/GHSA-gfq7-5x4g-3xhf

History

Fri, 26 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.
Title		Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation
Weaknesses		CWE-367 CWE-918
References		https://github.com/Budibase/budibase/security/advisories/GHSA-gfq7-5x4g-3xhf
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T20:44:52.069Z

Updated: 2026-06-26T20:44:52.069Z

Reserved: 2026-06-12T19:23:22.317Z

Link: CVE-2026-54353

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses

CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object