CVE-2026-33226

HIGH EPSS 28.5%

Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago

8.7 CVSS 3.1

High

Published Mar 20, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches.

CVSS Details

Base Score

8.7

Exploitability

2.3

Impact

5.8

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Changed

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

28.5% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 1

Vendor	Product	Version	Range
budibase	budibase	*	≤3.30.6

References 1

github.com https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.