← Zuruck zu CVEs

CVE-2026-31818

CRITICAL

9.6

Beschreibung

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

CVE Details

CVSS v3.1 Bewertung9.6

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienLOW

BenutzerinteraktionNONE

Veroffentlicht4/3/2026

Zuletzt geandert4/3/2026

Quellenvd

Honeypot-Sichtungen0

Schwachen (CWE)

CWE-918CWE-1188

Referenzen

https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732(security-advisories@github.com)

https://github.com/Budibase/budibase/pull/18236(security-advisories@github.com)

https://github.com/Budibase/budibase/releases/tag/3.33.4(security-advisories@github.com)

https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.