Platform
nodejs
Component
@budibase/backend-core
Fixed in
3.33.5
3.33.4
CVE-2026-31818 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in Budibase, a low-code platform. This flaw allows attackers with minimal privileges (Builder role or QUERY WRITE access) to potentially exfiltrate sensitive internal data. The vulnerability affects self-hosted Budibase instances running versions prior to 3.33.4 and stems from an inadequate blacklist within the REST Datasource integration.
The SSRF vulnerability arises from a weakness in Budibase's REST Datasource integration and its backend blacklist module. An attacker can craft malicious REST queries that bypass the intended blacklist, enabling them to make requests to internal services and resources that should be inaccessible from the outside. This can lead to the exposure of sensitive data, including configuration files, database credentials, and other internal assets. The lack of user interaction required for exploitation significantly increases the risk, as an attacker can trigger the vulnerability remotely without any user action. The potential for data exfiltration is substantial, particularly in environments where internal services are not adequately secured.
CVE-2026-31818 was publicly disclosed on 2026-04-03. The vulnerability's CRITICAL CVSS score (9.6) reflects the ease of exploitation and the potential for significant data exposure. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's severity and the potential for data exfiltration suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31818 is to immediately upgrade Budibase to version 3.33.4 or later. This version includes a corrected blacklist implementation that effectively prevents the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block connections to internal resources. Additionally, review and restrict the permissions granted to Builder roles and QUERY WRITE access to minimize the potential attack surface. Monitor Budibase logs for suspicious outbound requests to internal services.
Update Budibase to version 3.33.4 or higher. This version corrects the SSRF vulnerability by ensuring that the BLACKLIST_IPS environment variable is configured correctly, enabling the IP blacklist and preventing unauthorized requests.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31818 is a critical SSRF vulnerability in Budibase versions before 3.33.4, allowing attackers to exfiltrate internal data via the REST Datasource integration due to a flawed blacklist.
You are affected if you are running a self-hosted Budibase instance with a version prior to 3.33.4 and utilize the REST Datasource integration.
Upgrade Budibase to version 3.33.4 or later. As a temporary workaround, implement a WAF or proxy to filter outbound requests.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official Budibase security advisory on their website for detailed information and updates: [https://budibase.com/security/advisories](https://budibase.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.