CVE-2026-31818
Server-Side Request Forgery in Budibase REST Connector
Publication date: 2026-04-03
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.33.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a server-side request forgery (SSRF) issue in Budibase's REST datasource connector prior to version 3.33.4. The platform uses an IP blacklist to protect against SSRF attacks, but this blacklist is ineffective because the BLACKLIST_IPS environment variable is not set by default in official deployments. When this variable is empty, the blacklist function always returns false, allowing all requests to pass through without restriction.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform SSRF attacks, which means they can make unauthorized requests from the server to internal or external systems. Given the high CVSS score (9.6) with high impact on confidentiality and integrity, this could lead to exposure of sensitive data or manipulation of internal services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Budibase to version 3.33.4 or later, where the SSRF protection mechanism has been properly patched.
Additionally, ensure that the BLACKLIST_IPS environment variable is set with appropriate IP addresses to enable the blacklist function, as leaving it empty disables the SSRF protection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-31818 vulnerability allows low-privileged users to perform Server-Side Request Forgery (SSRF) attacks that can access internal network services and exfiltrate sensitive data, including user credentials, platform secrets, and application data.
Such unauthorized access and data exfiltration can lead to breaches of confidentiality and integrity, which are critical concerns under compliance frameworks like GDPR and HIPAA that mandate protection of personal and sensitive data.
Because the vulnerability enables attackers to read and modify internal databases and escalate privileges, it poses a significant risk of violating data protection requirements, potentially resulting in non-compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect the CVE-2026-31818 SSRF vulnerability on your system, you should check if your Budibase deployment is running a version prior to 3.33.4 and whether the BLACKLIST_IPS environment variable is unset or empty, which disables the IP blacklist protection.
Since the vulnerability allows unauthorized internal network requests via the REST datasource connector, you can monitor network traffic for unusual outbound requests targeting internal IP ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and IPv6 equivalents (::1/128, fc00::/7, fe80::/10).
You can also audit Budibase REST datasource configurations and API calls to detect if any datasources are configured to access internal IP addresses or services.
Suggested commands to help detect potential exploitation or presence of the vulnerability include:
- Check Budibase version: `budibase --version` or verify the deployed version in your environment.
- Inspect environment variables for BLACKLIST_IPS: `echo $BLACKLIST_IPS` (Linux/macOS) or `echo %BLACKLIST_IPS%` (Windows). An empty or unset variable indicates the blacklist is disabled.
- Monitor network connections from the Budibase server to internal IP ranges using tools like `netstat`, `ss`, or packet capture tools such as `tcpdump` or `wireshark`. For example: `sudo tcpdump -i any net 10.0.0.0/8 or net 172.16.0.0/12 or net 192.168.0.0/16`
- Audit REST datasource configurations via Budibase API or database queries to identify any datasources pointing to internal IP addresses.
- Check application logs for unusual REST datasource requests or errors related to internal IP access.
Note that the vulnerability is due to the lack of blacklist enforcement, so detection focuses on identifying if the blacklist is disabled and monitoring for unauthorized internal network requests.