Vulnerability Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Budibase | Budibase | <= 3.30.6 |
Related Weaknesses (CWE)
References
- https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7fExploitVendor Advisory
FAQ
What is CVE-2026-33226?
CVE-2026-33226 is a vulnerability with a CVSS score of 8.7 (HIGH). Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) make...
How severe is CVE-2026-33226?
CVE-2026-33226 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33226?
Check the references section above for vendor advisories and patch information. Affected products include: Budibase Budibase.