Skip to main content

Budibase CVE-2026-48128

| EUVDEUVD-2026-32594 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-27 security-advisories@github.com GHSA-6964-pp88-6wp9
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:06 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0.

AnalysisAI

Server-side request forgery in Budibase's automation engine (versions prior to 3.39.0) allows high-privileged authenticated users to redirect outbound HTTP requests from the Budibase server to attacker-controlled internal destinations by supplying an unvalidated queryId in the executeQuery automation step. When paired with a REST datasource pointed at internal infrastructure, automation execution causes the server to fetch arbitrary internal URLs and return their responses to the caller, potentially leaking sensitive internal service data. A proof-of-concept exists per SSVC assessment; no confirmed active exploitation or CISA KEV listing at time of analysis.

Technical ContextAI

The root cause is CWE-918 (Server-Side Request Forgery): the executeQuery automation step accepts a queryId parameter from user-controlled automation step inputs and passes it directly to the query execution controller without validating whether the referenced query's target URL is restricted to safe or external destinations. Budibase's REST datasource feature allows administrators to configure datasources that make outbound HTTP calls to arbitrary URLs, including addresses on internal networks. Affected versions are all Budibase releases below 3.39.0 (EUVD-2026-32594). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) confirms network-reachable exploitation with no special attack target conditions and no user interaction required beyond the attacker's own high-privileged session.

RemediationAI

Upgrade Budibase to version 3.39.0 or later, which contains the vendor-released fix as confirmed by the GitHub Security Advisory GHSA-6964-pp88-6wp9 (https://github.com/Budibase/budibase/security/advisories/GHSA-6964-pp88-6wp9). If immediate upgrade is not feasible, restrict creation and execution of automations that use the executeQuery step to the minimum set of trusted administrators, reducing the attack surface by tightening role-based access controls within Budibase. Additionally, apply network-level egress filtering on the Budibase server host to block outbound connections to RFC-1918 and other internal IP ranges, preventing the server from reaching internal services even if a malicious automation is configured - note this may impact legitimate internal datasource use cases. Audit existing REST datasources for configurations pointing at internal hosts and remove or restrict those that are not operationally necessary.

Share

CVE-2026-48128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy