Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45715

CVE-2026-45715: Budibase Auth Bypass Vulnerability

CVE-2026-45715 is an authentication bypass flaw in Budibase that allows authenticated Builders to access internal services via HTTP redirects. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-45715 Overview

CVE-2026-45715 is a Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code application platform. The flaw exists in the REST datasource integration located at packages/server/src/integrations/rest.ts. The integration follows HTTP redirects without re-validating the destination against the IP blacklist. An authenticated Builder user can craft a request that redirects through an attacker-controlled server to reach internal services such as cloud metadata endpoints and internal databases. The issue is tracked under [CWE-918] and is fixed in Budibase version 3.38.1.

Critical Impact

An authenticated Builder can pivot from the Budibase REST datasource to internal cloud metadata services and private databases, exposing credentials and sensitive infrastructure data.

Affected Products

  • Budibase versions prior to 3.38.1
  • Self-hosted Budibase deployments exposing the REST datasource integration
  • Cloud deployments where Builder accounts are accessible to untrusted users

Discovery Timeline

  • 2026-05-27 - CVE-2026-45715 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45715

Vulnerability Analysis

Budibase allows Builder users to configure REST datasources that issue HTTP requests to external endpoints. To prevent SSRF, Budibase applies an IP blacklist that blocks requests to private and link-local address ranges, including cloud metadata endpoints such as 169.254.169.254. The blacklist is enforced on the initial request URL.

The REST integration in packages/server/src/integrations/rest.ts automatically follows HTTP 3xx redirect responses. The vulnerability stems from the absence of blacklist re-validation when a redirect target is resolved. An attacker hosts a public server that returns a 302 Found response with a Location header pointing to an internal address. Budibase passes the initial blacklist check against the public host and then issues a follow-up request to the internal target without re-checking the destination IP.

This pattern allows the attacker to read responses from services that should never be reachable from the Budibase server.

Root Cause

The root cause is incomplete SSRF protection in the redirect-handling logic. The IP blacklist runs once at request initiation and is not re-applied to each hop in a redirect chain. This violates the principle that every network destination derived from user input must be validated against the same security policy.

Attack Vector

Exploitation requires authenticated access as a Builder user. The attacker creates a REST datasource pointing to a server they control. That server responds to Budibase with a redirect to an internal target such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ on AWS, http://metadata.google.internal/ on GCP, or an internal database URL. Budibase follows the redirect, fetches the response, and returns the body to the Builder interface. The attacker reads cloud IAM credentials, instance metadata, or internal API responses directly from the Budibase UI.

See the GitHub Security Advisory GHSA-fgqv-jh4g-pvg2 for additional technical details.

Detection Methods for CVE-2026-45715

Indicators of Compromise

  • Outbound HTTP requests from the Budibase server to attacker-controlled domains followed immediately by inbound requests to internal addresses such as 169.254.169.254, metadata.google.internal, or RFC1918 ranges.
  • REST datasource configurations created by Builder users that point to unfamiliar external hosts.
  • Cloud audit logs showing instance metadata service (IMDS) access originating from the Budibase workload outside expected automation windows.

Detection Strategies

  • Review Budibase application logs for REST datasource requests that resulted in HTTP 3xx responses followed by requests to internal IP ranges.
  • Correlate egress proxy or VPC flow logs with Budibase process activity to identify redirect chains terminating at metadata or database endpoints.
  • Audit the Budibase datasource configuration store for newly created REST integrations referencing unknown external domains.

Monitoring Recommendations

  • Enforce egress filtering from the Budibase host and alert on any connection attempt to cloud metadata IP ranges.
  • Monitor creation and modification events for REST datasources and flag Builder accounts that add external endpoints at unusual rates.
  • Track Builder role assignments and alert when new Builder accounts are provisioned, since exploitation requires this privilege level.

How to Mitigate CVE-2026-45715

Immediate Actions Required

  • Upgrade Budibase to version 3.38.1 or later, which re-applies the IP blacklist on every redirect hop.
  • Rotate any cloud IAM credentials, database secrets, or API keys reachable from the Budibase server that may have been exposed before patching.
  • Review the list of Builder accounts and remove access for users who do not require datasource configuration privileges.

Patch Information

The fix is included in Budibase Release 3.38.1. The patch updates packages/server/src/integrations/rest.ts so that redirect targets are validated against the IP blacklist before each follow-up request. Self-hosted operators should pull the updated container image or package and restart the Budibase services. Refer to the GitHub Security Advisory GHSA-fgqv-jh4g-pvg2 for full remediation guidance.

Workarounds

  • Enforce IMDSv2 on AWS EC2 instances hosting Budibase to require session tokens that cannot be obtained via SSRF.
  • Block outbound traffic from the Budibase server to 169.254.0.0/16, metadata.google.internal, and other internal-only endpoints at the network layer.
  • Restrict the Builder role to a small set of trusted operators until the upgrade to 3.38.1 is complete.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne