CVE Catalog

CVE-2026-45548

High
Published: Translated: NVD NIST

Summary

Budibase is an open-source low-code platform. In versions prior to 3.34.8, the processUrlFile function in extract.ts did not validate IP addresses, allowing authenticated users to send requests to internal network addresses.

Risk Assessment

The organization may be exposed to unauthorized access to internal network resources by authenticated users, potentially leading to data leaks or other attacks.

Recommendation

It is recommended to upgrade to version 3.34.8 or later to mitigate this vulnerability and implement additional security measures to monitor and restrict access to internal addresses.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated user to trigger server-side requests to internal network addresses. This vulnerability is fixed in 3.34.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS