CVE-2026-48153
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata
CVSS Score
8.5
EPSS Score
0.0%
EPSS Percentile
0th
Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. This vulnerability is fixed in 3.39.0.
| CWE | CWE-918 |
| Vendor | budibase |
| Product | budibase |
| Published | May 27, 2026 |
| Last Updated | May 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for budibase budibase
Be the first to know when new high vulnerabilities affecting budibase budibase are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
Budibase / budibase
< 3.39.0