EUVD-2026-18792
GHSA-7r9j-r86q-7g45
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
4Tags
Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
Analysis
Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticated users with low privileges to bypass IP blacklist protections and access internal network resources. The vulnerability stems from a configuration flaw where the BLACKLIST_IPS environment variable is not set by default in official deployments, causing all blacklist checks to fail silently. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Budibase deployments and their current versions using inventory or deployment tools; immediately restrict access to Budibase's REST datasource connector to trusted users only through role-based access controls. Within 7 days: If running Budibase version 3.33.3 or earlier, manually configure the BLACKLIST_IPS environment variable with your organization's internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) as a temporary control; document the configuration. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today