Vulnerability Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Budibase | Budibase | < 3.33.4 |
Related Weaknesses (CWE)
References
- https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc00Patch
- https://github.com/Budibase/budibase/pull/18236Issue TrackingPatch
- https://github.com/Budibase/budibase/releases/tag/3.33.4ProductRelease Notes
- https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-31818?
CVE-2026-31818 is a vulnerability with a CVSS score of 9.6 (CRITICAL). Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection...
How severe is CVE-2026-31818?
CVE-2026-31818 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-31818?
Check the references section above for vendor advisories and patch information. Affected products include: Budibase Budibase.