CVE-2026-31818

Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Techniques & Countermeasures

• CWE-918•Server-Side Request Forgery (SSRF)

  The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

• CWE-1188•Initialization of a Resource with an Insecure Default

  The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Affected Systems

• budibase•budibase

  < 3.33.4

References (4)

• https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45
• https://github.com/Budibase/budibase/pull/18236
• https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732
• https://github.com/Budibase/budibase/releases/tag/3.33.4