CVE-2026-48148
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.35.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.35.3. The issue is with the VectorDB configuration endpoint, which accepts a host parameter without validating it against internal IP ranges, reserved hostnames, or URL schemes.
As a result, any authenticated user with builder-level access can supply an arbitrary host value such as 169.254.169.254 or localhost. This causes the server to initiate outbound TCP connections to internal network addresses or cloud metadata endpoints on behalf of the user.
This vulnerability was fixed in version 3.35.3.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with builder-level access to make the server initiate outbound TCP connections to internal network addresses or cloud metadata endpoints.
This could potentially lead to unauthorized access to internal resources, exposure of sensitive information, or exploitation of internal services that are not normally accessible externally.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Budibase version 3.35.3. To mitigate this vulnerability, you should upgrade your Budibase installation to version 3.35.3 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This SSRF vulnerability in Budibase allows authenticated users with builder-level access to make the server initiate outbound connections to internal network addresses or cloud metadata endpoints. In cloud environments, this can lead to exposure of sensitive credentials or instance identity documents, potentially enabling privilege escalation or lateral movement within the network.
Such unauthorized access or exposure of sensitive internal resources and credentials could result in violations of data protection and security requirements mandated by common standards and regulations like GDPR or HIPAA, which require strict controls over access to sensitive data and infrastructure.
Therefore, if exploited, this vulnerability could negatively impact compliance by enabling attackers to access or exfiltrate sensitive information, undermining confidentiality and integrity controls required by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual outbound TCP connections initiated by the Budibase server to internal IP addresses, reserved hostnames, or cloud metadata endpoints such as 169.254.169.254.
Since the vulnerability is exploited by sending an authenticated API request to the VectorDB configuration endpoint with an arbitrary host parameter, detection can involve inspecting logs for such requests or network traffic for unexpected outbound connections.
- Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outbound connections from the Budibase server to internal IP ranges or metadata service IPs.
- Example tcpdump command to monitor outbound connections to internal IPs: tcpdump -i <interface> src host <budibase-server-ip> and dst net 169.254.0.0/16
- Check Budibase server logs or API access logs for authenticated requests to the VectorDB configuration endpoint containing suspicious host parameters such as 'localhost' or '169.254.169.254'.