CVE-2026-31818
CRITICAL
9,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: none
Description
AI Translation Available
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
918
Server-Side Request Forgery (SSRF)
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Potential Impacts:
Read Application Data
Execute Unauthorized Code Or Commands
Bypass Protection Mechanism
Applicable Platforms
Technologies:
AI/ML, Web Based, Web Server
1188
Initialization of a Resource with an Insecure Default
IncompleteCommon Consequences
Security Scopes Affected:
Other
Potential Impacts:
Varies By Context
Applicable Platforms
All platforms may be affected
https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc0…
https://github.com/Budibase/budibase/pull/18236
https://github.com/Budibase/budibase/releases/tag/3.33.4
https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45