CVE-2026-31818
CRITICALBudibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Title source: cnaDescription
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45
X_Refsource_Misc x_refsource_misc
https://github.com/Budibase/budibase/pull/18236
X_Refsource_Misc x_refsource_misc
https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732
X_Refsource_Misc x_refsource_misc
https://github.com/Budibase/budibase/releases/tag/3.33.4
Scores
CVSS v3
9.6
EPSS
0.0038
EPSS Percentile
29.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-1188
CWE-918
Status
published
Products (3)
budibase/backend-core
0 - 3.33.4npm
budibase/budibase
< 3.33.4
Budibase/budibase
< 3.33.4
Published
Apr 03, 2026
Tracked Since
Apr 03, 2026