CVE-2026-48128
Server-Side Request Forgery in Budibase Prior to 3.39.0
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | 3.39.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48128 is a Server-Side Request Forgery (SSRF) vulnerability in Budibase's automation "Execute Query" step. It occurs because the executeQuery step accepts a queryId from automation inputs and passes it directly to the query execution controller without validating it. This allows an authenticated user with builder-level access to configure a REST datasource targeting internal network endpoints and then trigger the Budibase server to make HTTP requests to those internal or attacker-controlled destinations.
When the automation runs, the server makes outbound HTTP requests from its own network context, and the response from these requests is returned in the automation output. This can potentially expose internal service data.
The vulnerability is fixed in Budibase version 3.39.0.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with builder-level access to make the Budibase server send HTTP requests to internal infrastructure or attacker-controlled destinations. This can lead to exposure of internal service data through the automation output.
However, the impact is considered moderate (CVSS score 5.1) because builder-level users already have permissions to configure and test datasources directly, so this does not provide a significant privilege escalation.
The practical risk depends on whether builder permissions are granted to partially trusted users and whether network-level controls restrict outbound HTTP requests from the Budibase server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual outbound HTTP requests originating from the Budibase server, especially those targeting internal network endpoints or unexpected destinations.
Since the vulnerability involves the automation "Execute Query" step passing unvalidated queryId inputs, reviewing automation configurations for REST datasources targeting internal infrastructure can help identify potential exploitation.
Commands to detect suspicious activity might include network monitoring tools or commands such as:
- Using tcpdump or tshark to capture outbound HTTP requests from the Budibase server: tcpdump -i <interface> tcp and dst port 80 or 443
- Using netstat or ss to check active outbound connections from the Budibase server: netstat -tnp | grep budibase or ss -tnp | grep budibase
- Reviewing Budibase automation configurations for REST datasources that target internal endpoints or unexpected URLs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Budibase to version 3.39.0 or later, where this vulnerability is fixed.
Additionally, restrict builder-level access to trusted users only, as exploitation requires builder permissions to configure datasources and automations.
Implement network-level controls to restrict outbound HTTP requests from the Budibase server to only necessary destinations, preventing unauthorized internal or external requests.
Review and audit existing automations and REST datasource configurations to ensure they do not target sensitive internal infrastructure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-48128 vulnerability in Budibase allows an attacker with builder-level access to cause the Budibase server to make outbound HTTP requests to internal or attacker-controlled destinations, potentially exposing internal service data.
This exposure of internal data could lead to unauthorized disclosure of sensitive information, which may impact compliance with data protection standards and regulations such as GDPR or HIPAA if such data includes personal or protected health information.
However, the vulnerability requires builder-level access and does not escalate privileges beyond existing capabilities, and its impact depends on the environment's network controls and permission management.
Therefore, organizations using Budibase should consider this vulnerability in their risk assessments and ensure proper access controls and network restrictions to maintain compliance with relevant standards.