← Volver a CVEs

CVE-2026-31818

CRITICAL

9.6

Descripcion

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

Detalles CVE

Puntuacion CVSS v3.19.6

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado4/3/2026

Ultima modificacion4/3/2026

Fuentenvd

Avistamientos honeypot0

Debilidades (CWE)

CWE-918CWE-1188

Referencias

https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732(security-advisories@github.com)

https://github.com/Budibase/budibase/pull/18236(security-advisories@github.com)

https://github.com/Budibase/budibase/releases/tag/3.33.4(security-advisories@github.com)

https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.