← Back to CVEs

CVE-2026-31818

CRITICAL

9.6

Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

CVE Details

CVSS v3.1 Score9.6

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionNONE

Published4/3/2026

Last Modified4/3/2026

Sourcenvd

Honeypot Sightings0

Weaknesses (CWE)

CWE-918CWE-1188

References

https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732(security-advisories@github.com)

https://github.com/Budibase/budibase/pull/18236(security-advisories@github.com)

https://github.com/Budibase/budibase/releases/tag/3.33.4(security-advisories@github.com)

https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45(security-advisories@github.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.