CVE Catalog

CVE-2026-54353

HighCVSS 8.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

Budibase before version 3.39.9 is vulnerable to SSRF via DNS rebinding. Authenticated users with automation permissions can bypass the IP blacklist because hostname validation before the request is not pinned to the actual connection.

Risk Assessment

An attacker can access internal services, including loopback interfaces, private RFC1918 ranges, and cloud metadata endpoints, potentially leading to data leakage or privilege escalation.

Recommendation

Immediately upgrade Budibase to version 3.39.9 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS