Server-Side Request Forgery Vulnerability in Budibase Low-Code Platform
CVE-2026-31818

9.6CRITICAL

Key Information:

Vendor

Budibase

Status
Budibase
Vendor
CVE Published:
3 April 2026

What is CVE-2026-31818?

Budibase, an open-source low-code platform, has a vulnerability in its REST datasource connector that allows for server-side request forgery (SSRF). The lack of a default setting for the BLACKLIST_IPS environment variable means that the platform's SSRF protection mechanism fails, allowing unrestricted requests. This issue has been resolved in version 3.33.4, where the necessary security measures were implemented.

Affected Version(s)

budibase < 3.33.4

References

https://github.com/Budibase/budibase/security/advisories/...
x_refsource_CONFIRM
https://github.com/Budibase/budibase/pull/18236
x_refsource_MISC
https://github.com/Budibase/budibase/commit/5b0fe83d4ece5...
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.