Platform
nodejs
Component
budibase
Fixed in
3.30.7
3.30.7
CVE-2026-33226 describes a Server-Side Request Forgery (SSRF) vulnerability within Budibase, a low-code application development platform. This flaw allows authenticated administrators to initiate server-side HTTP requests to arbitrary URLs specified in the fields.path parameter of the /api/queries/preview endpoint, bypassing validation. The vulnerability impacts Budibase versions 3.30.6 and earlier, potentially leading to significant internal network exposure and data compromise. A patch is available.
The SSRF vulnerability in Budibase poses a serious risk to deployments, particularly those hosted on cloud platforms like AWS, GCP, and Azure. An attacker, assuming the role of an authenticated administrator, can leverage this flaw to reach internal services that are not directly exposed to the internet. This includes accessing cloud metadata endpoints, potentially stealing OAuth2 tokens (especially on GCP with cloud-platform scope, granting full GCP access), querying internal databases, and interacting with Kubernetes APIs and other pods within the internal network. The blast radius extends to the entire internal network, enabling attackers to map and potentially compromise sensitive resources. The ability to access cloud metadata exposes credentials and configuration data, significantly increasing the risk of further exploitation.
CVE-2026-33226 was publicly disclosed on 2026-03-18. The vulnerability is present in Budibase, a popular low-code platform, increasing the likelihood of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33226 is to upgrade Budibase to a patched version. Consult the official Budibase advisory for the latest recommended version. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict network access to the Budibase instance using a Web Application Firewall (WAF) or proxy to block outbound requests to suspicious or internal IP addresses. Implement strict input validation on the fields.path parameter to prevent malicious URL manipulation. Monitor network traffic for unusual outbound connections originating from the Budibase instance. After upgrade, confirm the fix by attempting a query preview with a known malicious URL and verifying that the request is blocked.
Update Budibase to a version later than 3.30.6. As no patches are available at the time of publication, it is recommended to monitor Budibase security updates and apply the update as soon as it is available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33226 is a HIGH severity SSRF vulnerability affecting Budibase versions up to 3.30.6, allowing authenticated admins to access internal services and potentially steal credentials.
If you are running Budibase version 3.30.6 or earlier, you are potentially affected by this SSRF vulnerability. Check your version and upgrade immediately.
The recommended fix is to upgrade to a patched version of Budibase. Consult the official Budibase advisory for the latest version.
While no active exploitation has been publicly confirmed, the ease of exploitation makes it likely that attackers are already scanning for vulnerable instances.
Refer to the official Budibase security advisory for detailed information and mitigation steps: [https://budibase.com/security/advisories](https://budibase.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.