CVE-2026-45548
HighSummary
Budibase is an open-source low-code platform. In versions prior to 3.34.8, the processUrlFile function in extract.ts did not validate IP addresses, allowing authenticated users to send requests to internal network addresses.
Risk Assessment
The organization may be exposed to unauthorized access to internal network resources by authenticated users, potentially leading to data leaks or other attacks.
Recommendation
It is recommended to upgrade to version 3.34.8 or later to mitigate this vulnerability and implement additional security measures to monitor and restrict access to internal addresses.
Original NVD description (English source)
Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated user to trigger server-side requests to internal network addresses. This vulnerability is fixed in 3.34.8.

