Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration

Description

The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server.

Recommendation

Update the @budibase/server package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.38.1
• Patched version(s): 3.38.1

References

• GHSA-fgqv-jh4g-pvg2
• CVE-2026-45715
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation - CVE-2026-45548
• LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader - CVE-2026-27795
• Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step - CVE-2026-35216
• @utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol - CVE-2026-45366

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

@budibase/server