CVE-2026-48146
OAuth2 Token SSRF in Budibase Prior to 3.39.0
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.39.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.39.0. The OAuth2 token fetch function uses a raw fetch call without Server-Side Request Forgery (SSRF) protection. While other outbound HTTP calls in the codebase use a safe wrapper called fetchWithBlacklist(), this was not applied to the OAuth2 token endpoint. As a result, a user with the BUILDER role can manipulate the OAuth2 token URL to point to internal services such as CouchDB or cloud metadata endpoints, potentially exfiltrating sensitive data.
How can this vulnerability impact me? :
The vulnerability allows a user with BUILDER role privileges to perform SSRF attacks by redirecting the OAuth2 token fetch to internal services. This can lead to unauthorized access and exfiltration of sensitive internal data, such as database contents or cloud metadata, which could compromise the confidentiality of your system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Budibase to version 3.39.0 or later, where the OAuth2 token fetch function uses the safe wrapper fetchWithBlacklist() to prevent SSRF attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with the BUILDER role to exfiltrate sensitive data such as OAuth2 client credentials and internal service information by exploiting SSRF in the OAuth2 token fetch function. The impact includes unauthorized access to internal services and cloud metadata, potentially leading to credential leakage and network reconnaissance.
Such unauthorized data access and leakage of sensitive credentials can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Server-Side Request Forgery (SSRF) in Budibase's OAuth2 token fetch function, allowing an attacker with BUILDER role to cause the application to make unauthorized requests to internal services.
To detect exploitation attempts or presence of this vulnerability on your system or network, you can monitor for unusual outbound HTTP requests originating from the Budibase server to internal IP addresses or cloud metadata endpoints (e.g., 169.254.169.254).
- Use network monitoring tools or packet capture (e.g., tcpdump) to filter outbound HTTP requests to internal IP ranges or metadata service IPs.
- Check Budibase server logs for OAuth2 token fetch requests that contain unexpected or internal URLs.
- Example tcpdump command to capture suspicious outbound HTTP requests to internal IPs: sudo tcpdump -i <interface> tcp and dst net 169.254.0.0/16 or dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16 and port 80
- Use curl or similar tools to test the OAuth2 token endpoint with crafted URLs pointing to internal services to verify if SSRF protection is applied.