CVE-2026-48128 Overview
CVE-2026-48128 is a Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The flaw exists in the executeQuery automation step, which accepts a queryId from automation step inputs and forwards it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, an authenticated attacker can coerce the Budibase server into issuing outbound HTTP requests to attacker-influenced destinations. The automation output returns the response body, exposing internal service data. The issue is tracked under [CWE-918] and is fixed in Budibase 3.39.0.
Critical Impact
Authenticated attackers can pivot through the Budibase server to reach internal-only services and exfiltrate response data via automation output.
Affected Products
- Budibase versions prior to 3.39.0
- Self-hosted Budibase deployments with REST datasources configured
- Budibase instances exposing automation builder access to lower-trust users
Discovery Timeline
- 2026-05-27 - CVE-2026-48128 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48128
Vulnerability Analysis
The vulnerability resides in the executeQuery automation step inside Budibase. This step is intended to run a pre-defined query identified by queryId against a configured datasource. The controller trusts the queryId supplied by the automation step inputs and executes the associated query without verifying that the target datasource or endpoint is appropriate for the calling context.
When the referenced query is bound to a REST datasource, the server performs an outbound HTTP request on behalf of the automation. If the datasource base URL points to internal infrastructure such as cloud metadata services, internal APIs, or service-mesh endpoints, the server reaches those destinations from its own network position. The HTTP response body is returned through the automation output, providing a read primitive for internal data.
Root Cause
The root cause is missing authorization and input validation in the query execution path. The executeQuery automation step does not constrain which queryId values are permissible in a given automation context, and it does not validate the resolved target URL against an allowlist. This is a classic SSRF pattern catalogued under [CWE-918], where user-controllable input determines the destination of a server-initiated request.
Attack Vector
Exploitation requires authenticated access with privileges to configure or trigger automations referencing existing queries. The attacker selects or crafts a query bound to a REST datasource pointing at an internal target, then triggers the automation. The Budibase server issues the HTTP request and returns the response in the automation output, enabling internal reconnaissance and data exposure.
// No verified proof-of-concept code is published.
// See the GitHub Security Advisory linked below for technical details.
Detection Methods for CVE-2026-48128
Indicators of Compromise
- Outbound HTTP requests originating from the Budibase server process to RFC1918, link-local (169.254.169.254), or loopback addresses
- Automation execution logs referencing executeQuery steps with unusual or recently modified queryId values
- REST datasources configured with base URLs pointing to internal hostnames or cloud metadata endpoints
Detection Strategies
- Review Budibase application logs for automation runs invoking executeQuery against REST datasources that resolve to internal IP ranges
- Inspect network egress telemetry from the Budibase host for connections to metadata services and internal management interfaces
- Correlate datasource creation events with subsequent automation modifications by the same low-privilege users
Monitoring Recommendations
- Forward Budibase audit and automation execution logs to a centralized SIEM and alert on cross-tenant or cross-app queryId references
- Monitor for HTTP 200 responses returned by automations targeting non-public network ranges
- Track changes to REST datasource configurations, especially additions of internal or metadata URLs
How to Mitigate CVE-2026-48128
Immediate Actions Required
- Upgrade Budibase to version 3.39.0 or later, which contains the official fix
- Audit existing REST datasources and remove any that point to internal infrastructure unless explicitly required
- Review automation step configurations and revoke automation builder permissions from users who do not require them
Patch Information
The vulnerability is fixed in Budibase 3.39.0. Refer to the GitHub Security Advisory GHSA-6964-pp88-6wp9 for upstream patch details and upgrade guidance.
Workarounds
- Restrict the Budibase server's egress network policy to only the external hosts required by legitimate datasources
- Block access from the Budibase host to cloud metadata endpoints such as 169.254.169.254 at the network or IMDSv2 layer
- Limit automation creation and editing rights to trusted administrators until the upgrade can be applied
# Example egress restriction using iptables to block metadata endpoint
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
