Skip to main content

Budibase CVE-2026-54353

| EUVDEUVD-2026-39915 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-22 https://github.com/Budibase/budibase GHSA-gfq7-5x4g-3xhf
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Authenticated automation user (PR:L) wins a DNS-rebinding TOCTOU race (AC:H) to reach internal resources across a trust boundary (S:C); primarily a read primitive (C:H), minimal integrity, no availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 30, 2026 - 20:15 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 20:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 20:07 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 20:07 NVD
8.5 (HIGH) 7.1 (HIGH)
CVE Published
Jun 23, 2026 - 00:03 cve.org
HIGH 8.5
Source Code Evidence Fetched
Jun 23, 2026 - 00:02 vuln.today
Analysis Generated
Jun 23, 2026 - 00:02 vuln.today

DescriptionNVD

Summary

Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding.

The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection.

This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints.

Details

The issue comes from the outbound fetch validation flow resolving DNS twice:

During blacklist validation Again during the real socket connection

The first lookup result is discarded after validation, so the second lookup is free to resolve to a different IP.

This creates a classic TOCTOU DNS rebinding issue.

Affected flow in:

packages/backend-core/src/utils/outboundFetch.ts

async function throwIfUnsafe(url: string): Promise<void> {
  const parsed = parseUrl(url)

  if (await isBlacklisted(parsed.hostname)) {
    throw new Error("URL is blocked or could not be resolved safely.")
  }
}

for (let redirects = 0; redirects <= MAX_REDIRECTS; redirects++) {
  await throwIfUnsafe(nextUrl)

  const response = await fetchFn(nextUrl, nextRequest)

  // ...
}

fetchFn uses plain node-fetch with no custom http.Agent / https.Agent, so the underlying socket performs its own independent dns.lookup after validation completes.

The same pattern also exists in:

packages/server/src/automations/steps/utils.ts

await throwIfBlacklisted(nextUrl)

const response = await fetch(nextUrl, nextRequest)

The blacklist implementation resolves hostnames but only returns a boolean:

packages/backend-core/src/blacklist/blacklist.ts

async function lookup(address: string): Promise<string[]> {
  address = parseAddress(address)

  const addresses = await performLookup(address, { all: true })

  return addresses.map(addr => addr.address)
}

export async function isBlacklisted(address: string): Promise<boolean> {
  // ...

  if (!net.isIP(address)) {
    try {
      ips = await lookup(address)
    } catch (e) {
      /* ... */
    }
  } else {
    ips = [address]
  }

  return ips.some(ip => blackList!.check(ip, getIpVersion(ip)))
}

The resolved IPs are discarded, so callers cannot pin the later socket connection to the validated addresses.

An attacker controlling authoritative DNS for a hostname can therefore return:

a public IP during validation a private/internal IP during the actual connection

Anything routing through these helpers inherits the issue, including:

outgoing webhook Slack Discord Make Zapier n8n AI extract object-store fetches

Several of these steps return upstream response content directly into automation output, which makes the SSRF non-blind.

PoC

Tested locally against a self-hosted build from master. No Budibase-operated infrastructure was touched.

Run Budibase locally.

Start a harmless local HTTP listener:

python3 -m http.server 8080 --bind 127.0.0.1

Use a rebinding hostname such as:

7f000001.cb007264.rbndr.us

which rotates between:

127.0.0.1 203.0.113.100

Steps to reproduce:

Log into Budibase with automation permissions. Create an automation using the Outgoing Webhook step. Set the URL to: http://<rebinding-host>:8080/ Trigger the automation.

Observed result:

The blacklist validation resolves the hostname to the public IP and allows the request. node-fetch performs a second DNS lookup during socket creation. The second lookup resolves to 127.0.0.1. The TCP connection lands on the local service. The local server response body appears directly in the automation output. Impact

This produces a non-blind read-SSRF primitive against anything reachable from the Budibase host process, including:

loopback services (127.0.0.1) RFC1918 ranges internal Kubernetes/VPC services cloud metadata endpoints (169.254.169.254)

On cloud deployments without IMDSv2 enforcement, this may expose temporary IAM credentials via:

/latest/meta-data/iam/security-credentials/<role>

On multi-tenant hosted deployments, this may also create potential cross-tenant access paths through shared internal infrastructure.

AnalysisAI

Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Budibase account with automation permissions
Delivery
Configure attacker-controlled rebinding DNS hostname
Exploit
Create webhook/automation step targeting that host
Execution
Validation resolves public IP and passes blacklist
Persist
Socket re-resolves to internal/metadata IP
Impact
Read internal response (IAM creds, internal services) from automation output

Vulnerability AssessmentAI

Exploitation Requires an authenticated Budibase user holding automation permissions (PR:L) and the ability to control authoritative DNS for an attacker-chosen hostname so it resolves to a public IP during blacklist validation and an internal IP during the actual socket connection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-conditional priority rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege Budibase account that has automation permissions creates an Outgoing Webhook (or Slack/Discord/Make/Zapier/n8n/AI-extract) step pointing at a rebinding hostname they control, such as 7f000001.cb007264.rbndr.us, which alternates between a public IP and 127.0.0.1. When the automation runs, blacklist validation sees the public IP and allows it, but node-fetch's second DNS lookup resolves to the internal address and the socket lands on an internal service; the response body is returned directly into automation output, making the read non-blind. …
Remediation Vendor-released patch: upgrade Budibase / @budibase/backend-core to 3.39.9 or later, which is the fixed release per the GitHub advisory (https://github.com/Budibase/budibase/security/advisories/GHSA-gfq7-5x4g-3xhf). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all Budibase deployments to confirm currently installed version of @budibase/backend-core via application settings, deployment manifests, or package inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-54353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy