CVE-2026-45548
Remote Code Execution in Budibase Automation Steps
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.34.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.34.8. The issue is in the processUrlFile function, which uses fetch(fileUrl) without applying the IP blacklist validation that other automation steps use. This means an authenticated user can make the server send requests to internal network addresses, potentially accessing internal resources that should be protected.
How can this vulnerability impact me? :
The vulnerability allows an authenticated user to trigger server-side requests to internal network addresses. This can lead to unauthorized access to internal systems or services that are not exposed externally, potentially exposing sensitive information or enabling further attacks within the internal network.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Budibase to version 3.34.8 or later, where the issue with processUrlFile function using fetch without IP blacklist validation has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to perform server-side requests to internal network addresses, potentially accessing sensitive internal services and cloud metadata endpoints such as AWS IAM credentials and GCP service tokens.
Such unauthorized access and potential data exfiltration could lead to breaches of confidentiality and unauthorized disclosure of sensitive information, which may impact compliance with data protection regulations like GDPR and HIPAA.
Specifically, if personal or protected health information is exposed or accessed through this vulnerability, it could result in non-compliance with these standards, leading to legal and financial consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for server-side requests initiated by the vulnerable Budibase automation step that target internal network addresses. Since the issue involves the processUrlFile function making fetch requests without IP blacklist validation, detection involves identifying unusual or unauthorized internal network requests originating from the Budibase server.
One approach is to analyze Budibase server logs or network traffic for requests to internal IP ranges (such as 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that are triggered by authenticated users with builder permissions.
Suggested commands to help detect exploitation attempts or presence of this vulnerability include:
- Using network monitoring tools like tcpdump or tshark to capture outgoing requests from the Budibase server to internal IP ranges, for example: tcpdump -i <interface> src host <budibase-server-ip> and dst net 10.0.0.0/8
- Checking Budibase server logs for automation executions that include URLs pointing to internal IP addresses.
- Using grep or similar tools to search source code or deployed files for the vulnerable function usage, e.g., grep -r 'fetch(fileUrl)' packages/server/src/automations/steps/ai/extract.ts
- Verifying the Budibase version to ensure it is 3.34.8 or later, as versions prior to this are vulnerable.