CVE Catalog

CVE-2026-48153

High
Published: Translated: NVD NIST

Summary

Budibase is an open-source low-code platform. Prior to version 3.39.0, the fetchToken function in the OAuth2 SDK makes a POST to a builder-supplied URL, skipping the blacklist.isBlacklisted check, which may lead to unauthorized access.

Risk Assessment

Organizations may be exposed to attacks that exploit this vulnerability to send data to unauthorized locations, potentially leading to information leakage.

Recommendation

It is recommended to upgrade to version 3.39.0 or later to mitigate this vulnerability and implement additional security measures to monitor and control outbound connections.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. This vulnerability is fixed in 3.39.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS