CVE-2026-48153
HighSummary
Budibase is an open-source low-code platform. Prior to version 3.39.0, the fetchToken function in the OAuth2 SDK makes a POST to a builder-supplied URL, skipping the blacklist.isBlacklisted check, which may lead to unauthorized access.
Risk Assessment
Organizations may be exposed to attacks that exploit this vulnerability to send data to unauthorized locations, potentially leading to information leakage.
Recommendation
It is recommended to upgrade to version 3.39.0 or later to mitigate this vulnerability and implement additional security measures to monitor and control outbound connections.
Original NVD description (English source)
Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. This vulnerability is fixed in 3.39.0.

