{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31818", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T17:41:56.076Z", "datePublished": "2026-04-03T15:41:13.955Z", "dateUpdated": "2026-04-03T20:04:33.012Z"}, "containers": {"cna": {"title": "Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1188", "lang": "en", "description": "CWE-1188: Insecure Default Initialization of Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45"}, {"name": "https://github.com/Budibase/budibase/pull/18236", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/pull/18236"}, {"name": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732"}, {"name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.33.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:41:13.955Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4."}], "source": {"advisory": "GHSA-7r9j-r86q-7g45", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T20:04:22.287596Z", "id": "CVE-2026-31818", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:04:33.012Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31818", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T20:04:22.287596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:04:28.809Z"}}], "cna": {"title": "Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist", "source": {"advisory": "GHSA-7r9j-r86q-7g45", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.33.4"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/pull/18236", "name": "https://github.com/Budibase/budibase/pull/18236", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732", "name": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188: Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:41:13.955Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31818", "state": "PUBLISHED", "dateUpdated": "2026-04-03T20:04:33.012Z", "dateReserved": "2026-03-09T17:41:56.076Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:41:13.955Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "matchCriteriaId": "B316A29C-7C2F-4102-ACF6-DDB06B3D0AD5", "versionEndExcluding": "3.33.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4."}], "id": "CVE-2026-31818", "lastModified": "2026-04-08T21:19:30.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T16:16:39.800", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/Budibase/budibase/pull/18236"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}, {"lang": "en", "value": "CWE-1188"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.33.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-08T23:07:59.628064+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to version 3.33.4 or later to apply the SSRF fix. If immediate upgrade is not possible, configure the BLACKLIST_IPS environment variable with a non\u2011empty list of IP ranges to re\u2011enable SSRF filtering and restart the service. Verify that the environment variable is present in all deployment configurations and that outbound requests are now restricted."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted outbound network access via SSRF"}, "threat_synthesis": {"affected_systems": "All Budibase installations running versions earlier than 3.33.4 are affected, regardless of deployment mode or configuration. The issue affects every deployment setup that relies on Budibase's REST datasource connector, since the BLACKLIST_IPS variable is missing from the official deployment definitions.\n", "description_and_impact": "A flaw in Budibase's REST connector allows an attacker to direct the server to send requests to arbitrary URLs, bypassing the intended IP blacklist protection. The vulnerability results from an empty default blacklist environment variable, causing the SSRF guard to always return false and permitting unrestricted outbound traffic. The flaw is essentially a failure of a defensive filter that should reject or limit external requests.\n", "risk_and_exploitability": "The CVSS score of 9.6 denotes a severe vulnerability capable of remote code execution or data exfiltration. EPSS is below 1%, indicating a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred as interaction with the exposed REST API, which may be reachable by authenticated or unauthenticated users depending on the network configuration, and leveraging the bypassed SSRF checks.\n"}}}}, "created": "2026-04-03T21:13:01.821491+00:00", "updated": "2026-04-09T08:29:13.965330+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}