CVE-2026-33226

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 23:16

Updated : 2026-03-23 19:14

NVD link : CVE-2026-33226

Mitre link : CVE-2026-33226

CVE.ORG link : CVE-2026-33226

JSON object : View

Products Affected

budibase

budibase

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-33226", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2026-03-20T23:16:46.333", "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet \u2014 including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Budibase es una plataforma de bajo c\u00f3digo para crear herramientas internas, flujos de trabajo y paneles de administraci\u00f3n. En versiones desde la 3.30.6 y anteriores, el endpoint de vista previa de consulta de fuente de datos REST (POST /api/queries/preview) realiza solicitudes HTTP del lado del servidor a cualquier URL proporcionada por el usuario en fields.path sin validaci\u00f3n. Un administrador autenticado puede alcanzar servicios internos que no est\u00e1n expuestos a internet \u2014 incluyendo endpoints de metadatos en la nube (AWS/GCP/Azure), bases de datos internas, APIs de Kubernetes y otros pods en la red interna. En GCP esto conduce al robo de tokens OAuth2 con alcance 'cloud-platform' (acceso completo a GCP). En cualquier despliegue permite la enumeraci\u00f3n completa de la red interna. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."}], "lastModified": "2026-03-23T19:14:07.133", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52ADDDC4-29B8-41EF-9A96-C82854258816", "versionEndIncluding": "3.30.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}