CVE-2026-33226
Server-Side Request Forgery in Budibase Enables Internal Network Access
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.30.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Budibase versions 3.30.6 and earlier, specifically in the REST datasource query preview endpoint (POST /api/queries/preview). The endpoint allows an authenticated admin user to supply any URL in the fields.path parameter, which the server then requests without any validation.
Because there is no validation on the URLs, an attacker with admin access can make the server send requests to internal services that are not exposed to the internet. These internal services include cloud metadata endpoints (such as AWS, GCP, Azure), internal databases, Kubernetes APIs, and other pods on the internal network.
On Google Cloud Platform (GCP), this vulnerability can lead to theft of OAuth2 tokens with full cloud-platform scope, granting full access to the GCP environment. More generally, it allows full enumeration of the internal network.
At the time of publication, no public patches are available to fix this issue.
How can this vulnerability impact me? :
This vulnerability can have severe impacts if exploited by an authenticated admin user.
- It allows attackers to access internal services that are normally not reachable from outside the network.
- On cloud platforms like GCP, it can lead to theft of OAuth2 tokens with full cloud-platform scope, resulting in complete control over cloud resources.
- It enables full internal network enumeration, which can be used to identify and target other internal systems and services.
- Such access can lead to data breaches, unauthorized data access, and potential disruption of internal services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting access to the Budibase admin interface to trusted users only.
Ensure that only authenticated admins have access to the REST datasource query preview endpoint (POST /api/queries/preview) to prevent exploitation.
Consider network segmentation and firewall rules to limit the server's ability to make HTTP requests to internal services and cloud metadata endpoints.
Monitor and audit admin activities closely to detect any suspicious use of the query preview endpoint.