CVE-2026-31818— Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist

Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

服务端请求伪造(SSRF)

Budibase 安全漏洞

Budibase是英国Budibase开源的一个用于在几分钟内创建内部应用程序、工作流和管理面板的低代码平台。 Budibase 3.33.4之前版本存在安全漏洞，该漏洞源于SSRF保护机制因环境变量未设置而失效，可能导致服务端请求伪造攻击。

N/A

N/A