Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0.
AnalysisAI
Server-side request forgery in Budibase's automation engine (versions prior to 3.39.0) allows high-privileged authenticated users to redirect outbound HTTP requests from the Budibase server to attacker-controlled internal destinations by supplying an unvalidated queryId in the executeQuery automation step. When paired with a REST datasource pointed at internal infrastructure, automation execution causes the server to fetch arbitrary internal URLs and return their responses to the caller, potentially leaking sensitive internal service data. A proof-of-concept exists per SSVC assessment; no confirmed active exploitation or CISA KEV listing at time of analysis.
Technical ContextAI
The root cause is CWE-918 (Server-Side Request Forgery): the executeQuery automation step accepts a queryId parameter from user-controlled automation step inputs and passes it directly to the query execution controller without validating whether the referenced query's target URL is restricted to safe or external destinations. Budibase's REST datasource feature allows administrators to configure datasources that make outbound HTTP calls to arbitrary URLs, including addresses on internal networks. Affected versions are all Budibase releases below 3.39.0 (EUVD-2026-32594). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) confirms network-reachable exploitation with no special attack target conditions and no user interaction required beyond the attacker's own high-privileged session.
RemediationAI
Upgrade Budibase to version 3.39.0 or later, which contains the vendor-released fix as confirmed by the GitHub Security Advisory GHSA-6964-pp88-6wp9 (https://github.com/Budibase/budibase/security/advisories/GHSA-6964-pp88-6wp9). If immediate upgrade is not feasible, restrict creation and execution of automations that use the executeQuery step to the minimum set of trusted administrators, reducing the attack surface by tightening role-based access controls within Budibase. Additionally, apply network-level egress filtering on the Budibase server host to block outbound connections to RFC-1918 and other internal IP ranges, preventing the server from reaching internal services even if a malicious automation is configured - note this may impact legitimate internal datasource use cases. Audit existing REST datasources for configurations pointing at internal hosts and remove or restrict those that are not operationally necessary.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32594
GHSA-6964-pp88-6wp9