Compliance Impact

The CVE-2026-31818 vulnerability allows low-privileged users to perform Server-Side Request Forgery (SSRF) attacks that can access internal network services and exfiltrate sensitive data, including user credentials, platform secrets, and application data.

Such unauthorized access and data exfiltration can lead to breaches of confidentiality and integrity, which are critical concerns under compliance frameworks like GDPR and HIPAA that mandate protection of personal and sensitive data.

Because the vulnerability enables attackers to read and modify internal databases and escalate privileges, it poses a significant risk of violating data protection requirements, potentially resulting in non-compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a server-side request forgery (SSRF) issue in Budibase's REST datasource connector prior to version 3.33.4. The platform uses an IP blacklist to protect against SSRF attacks, but this blacklist is ineffective because the BLACKLIST_IPS environment variable is not set by default in official deployments. When this variable is empty, the blacklist function always returns false, allowing all requests to pass through without restriction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform SSRF attacks, which means they can make unauthorized requests from the server to internal or external systems. Given the high CVSS score (9.6) with high impact on confidentiality and integrity, this could lead to exposure of sensitive data or manipulation of internal services.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Budibase to version 3.33.4 or later, where the SSRF protection mechanism has been properly patched.

Additionally, ensure that the BLACKLIST_IPS environment variable is set with appropriate IP addresses to enable the blacklist function, as leaving it empty disables the SSRF protection.

Useful 0 Not Useful 0

Detection Guidance

To detect the CVE-2026-31818 SSRF vulnerability on your system, you should check if your Budibase deployment is running a version prior to 3.33.4 and whether the BLACKLIST_IPS environment variable is unset or empty, which disables the IP blacklist protection.

Since the vulnerability allows unauthorized internal network requests via the REST datasource connector, you can monitor network traffic for unusual outbound requests targeting internal IP ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and IPv6 equivalents (::1/128, fc00::/7, fe80::/10).

You can also audit Budibase REST datasource configurations and API calls to detect if any datasources are configured to access internal IP addresses or services.

Suggested commands to help detect potential exploitation or presence of the vulnerability include:

• Check Budibase version: `budibase --version` or verify the deployed version in your environment.
• Inspect environment variables for BLACKLIST_IPS: `echo $BLACKLIST_IPS` (Linux/macOS) or `echo %BLACKLIST_IPS%` (Windows). An empty or unset variable indicates the blacklist is disabled.
• Monitor network connections from the Budibase server to internal IP ranges using tools like `netstat`, `ss`, or packet capture tools such as `tcpdump` or `wireshark`. For example: `sudo tcpdump -i any net 10.0.0.0/8 or net 172.16.0.0/12 or net 192.168.0.0/16`
• Audit REST datasource configurations via Budibase API or database queries to identify any datasources pointing to internal IP addresses.
• Check application logs for unusual REST datasource requests or errors related to internal IP access.

Note that the vulnerability is due to the lack of blacklist enforcement, so detection focuses on identifying if the blacklist is disabled and monitoring for unauthorized internal network requests.

Useful 0 Not Useful 0