What is the CVSS score of CVE-2026-31818?

CVE-2026-31818 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by CVE-2026-31818?

Budibase versions prior to 3.33.4 contain a critical Server-Side Request Forgery (SSRF) vulnerability in the REST datasource connector that allows authenticated low-privilege users to bypass network…. A patch is available.

How to fix or mitigate CVE-2026-31818?

Within 24 hours: Identify all Budibase deployments and their current versions using inventory or deployment tools; immediately restrict access to Budibase's REST datasource connector to trusted users only through role-based access controls. Within 7 days: If running Budibase version 3.33.3 or earlier, manually configure the BLACKLIST_IPS environment variable with your organization's internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) as a temporary control; document the configuration. Within 30 days: Upgrade all Budibase instances to version 3.33.4 or later when released by the vendor; re-test REST datasource connector functionality post-upgrade.

Budibase CVE-2026-31818

EUVD-2026-18792 CRITICAL

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-03 GitHub_M

GHSA-7r9j-r86q-7g45

SSRF Budibase

9.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.6 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Apr 04, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 16:00 euvd

EUVD-2026-18792

Analysis Generated

Apr 03, 2026 - 16:00 vuln.today

CVE Published

Apr 03, 2026 - 15:41 nvd

CRITICAL 9.6

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

AnalysisAI

Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticated users with low privileges to bypass IP blacklist protections and access internal network resources. The vulnerability stems from a configuration flaw where the BLACKLIST_IPS environment variable is not set by default in official deployments, causing all blacklist checks to fail silently. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Budibase instance

Delivery

Create REST datasource connector

Exploit

Craft SSRF payload targeting internal services

Execution

Bypass disabled IP blacklist

Impact

Access internal resources or metadata