CVE-2026-45061 Overview
CVE-2026-45061 is a Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The flaw exists in the Plugin URL upload endpoint (POST /api/plugin), which validates submitted URLs with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in the string passes the check and proceeds to fetchWithBlacklist() without further validation of host, scheme, or path. The vulnerability is fixed in version 3.35.10.
Critical Impact
Authenticated attackers can issue requests to internal network resources when the SSRF blacklist is bypassed or when external URLs redirect to internal targets, exposing confidential data across security boundaries.
Affected Products
- Budibase versions prior to 3.35.10
- Budibase Plugin URL upload endpoint (POST /api/plugin)
- Deployments using node-fetch default redirect behavior (redirect: 'follow')
Discovery Timeline
- 2026-05-27 - CVE-2026-45061 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45061
Vulnerability Analysis
The vulnerability stems from inadequate URL validation in the Budibase plugin upload workflow. The endpoint accepts a URL parameter and uses url.includes(".tar.gz") to verify the input represents a plugin archive. This substring check is naive — it does not parse the URL, inspect the host, or verify that .tar.gz appears as a file extension. An attacker can craft URLs such as http://internal-host/path?file=.tar.gz or http://attacker.com/redirect#.tar.gz to satisfy the check while pointing to arbitrary destinations.
The URL is then passed to fetchWithBlacklist(), which by default blocks private IP ranges. However, two scenarios bypass this protection. First, when chained with the BLACKLIST_IPS bypass referenced in the advisory, the blacklist is empty and provides no protection. Second, the underlying node-fetch library follows HTTP redirects by default, allowing an external URL to redirect to an internal target after the initial blacklist check.
This weakness is classified under [CWE-918] Server-Side Request Forgery.
Root Cause
The root cause is reliance on substring matching for URL validation instead of structured parsing. The check does not extract the host, validate the scheme, or confirm the path ends with the expected extension. Combined with permissive redirect handling in node-fetch, the validation layer fails to enforce its intended security boundary.
Attack Vector
An authenticated attacker with plugin upload privileges submits a crafted URL containing .tar.gz as a substring. The server fetches the URL, follows any redirects, and returns or processes the response. When combined with an empty blacklist or an attacker-controlled redirector pointing to internal services, the request reaches resources behind the application's network perimeter. Refer to the GitHub Security Advisory GHSA-xh5j-727m-w6gg for full technical details.
Detection Methods for CVE-2026-45061
Indicators of Compromise
- Requests to POST /api/plugin containing URLs where .tar.gz appears in the query string or fragment rather than the path
- Outbound connections from the Budibase plugin server to internal IP ranges or cloud metadata endpoints such as 169.254.169.254
- HTTP 3xx redirect responses logged by the plugin fetcher that resolve to internal hostnames
Detection Strategies
- Inspect application logs for plugin upload requests with unusual URL structures, including encoded characters, fragments, or non-standard ports
- Correlate plugin endpoint activity with outbound network flows from the Budibase host to detect unauthorized internal access
- Monitor for authenticated users invoking the plugin upload endpoint at unusual frequencies or from unexpected source IPs
Monitoring Recommendations
- Enable verbose request logging on the /api/plugin endpoint and forward logs to a centralized SIEM for analysis
- Alert on any DNS resolution from the Budibase server to internal-only hostnames or cloud metadata services
- Track HTTP redirect chains initiated by the plugin fetcher and flag redirects that cross network trust boundaries
How to Mitigate CVE-2026-45061
Immediate Actions Required
- Upgrade Budibase to version 3.35.10 or later, which contains the official fix
- Audit recent activity on POST /api/plugin to identify any suspicious URL submissions prior to patching
- Restrict plugin upload privileges to a minimal set of trusted administrators until the upgrade is complete
Patch Information
The vendor released a fix in Budibase 3.35.10. The patch is described in the GitHub Security Advisory GHSA-xh5j-727m-w6gg. Apply the upgrade in all production and staging environments.
Workarounds
- Place the Budibase server behind an egress proxy that restricts outbound connections to known plugin registry hosts
- Disable HTTP redirect following on the plugin fetcher by configuring node-fetch with redirect: 'manual' or redirect: 'error'
- Verify that the BLACKLIST_IPS configuration is populated with private IP ranges and cloud metadata addresses
- Enforce network segmentation so the Budibase host cannot reach sensitive internal services directly
# Configuration example: upgrade Budibase via Docker
docker pull budibase/budibase:3.35.10
docker stop budibase
docker rm budibase
docker run -d --name budibase \
-p 80:80 \
-e BLACKLIST_IPS="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,127.0.0.0/8" \
budibase/budibase:3.35.10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
