CVE-2026-48128
Deferred Deferred - Pending Action
Server-Side Request Forgery in Budibase Prior to 3.39.0

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48128
EUVD
EUVD-2026-32594
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase 3.39.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-48128 vulnerability in Budibase allows an attacker with builder-level access to cause the Budibase server to make outbound HTTP requests to internal or attacker-controlled destinations, potentially exposing internal service data.

This exposure of internal data could lead to unauthorized disclosure of sensitive information, which may impact compliance with data protection standards and regulations such as GDPR or HIPAA if such data includes personal or protected health information.

However, the vulnerability requires builder-level access and does not escalate privileges beyond existing capabilities, and its impact depends on the environment's network controls and permission management.

Therefore, organizations using Budibase should consider this vulnerability in their risk assessments and ensure proper access controls and network restrictions to maintain compliance with relevant standards.

Executive Summary

CVE-2026-48128 is a Server-Side Request Forgery (SSRF) vulnerability in Budibase's automation "Execute Query" step. It occurs because the executeQuery step accepts a queryId from automation inputs and passes it directly to the query execution controller without validating it. This allows an authenticated user with builder-level access to configure a REST datasource targeting internal network endpoints and then trigger the Budibase server to make HTTP requests to those internal or attacker-controlled destinations.

When the automation runs, the server makes outbound HTTP requests from its own network context, and the response from these requests is returned in the automation output. This can potentially expose internal service data.

The vulnerability is fixed in Budibase version 3.39.0.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with builder-level access to make the Budibase server send HTTP requests to internal infrastructure or attacker-controlled destinations. This can lead to exposure of internal service data through the automation output.

However, the impact is considered moderate (CVSS score 5.1) because builder-level users already have permissions to configure and test datasources directly, so this does not provide a significant privilege escalation.

The practical risk depends on whether builder permissions are granted to partially trusted users and whether network-level controls restrict outbound HTTP requests from the Budibase server.

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound HTTP requests originating from the Budibase server, especially those targeting internal network endpoints or unexpected destinations.

Since the vulnerability involves the automation "Execute Query" step passing unvalidated queryId inputs, reviewing automation configurations for REST datasources targeting internal infrastructure can help identify potential exploitation.

Commands to detect suspicious activity might include network monitoring tools or commands such as:

  • Using tcpdump or tshark to capture outbound HTTP requests from the Budibase server: tcpdump -i <interface> tcp and dst port 80 or 443
  • Using netstat or ss to check active outbound connections from the Budibase server: netstat -tnp | grep budibase or ss -tnp | grep budibase
  • Reviewing Budibase automation configurations for REST datasources that target internal endpoints or unexpected URLs.
Mitigation Strategies

The primary mitigation step is to upgrade Budibase to version 3.39.0 or later, where this vulnerability is fixed.

Additionally, restrict builder-level access to trusted users only, as exploitation requires builder permissions to configure datasources and automations.

Implement network-level controls to restrict outbound HTTP requests from the Budibase server to only necessary destinations, preventing unauthorized internal or external requests.

Review and audit existing automations and REST datasource configurations to ensure they do not target sensitive internal infrastructure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart