CVE-2026-48128 MEDIUM

CVE-2026-48128: Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step

Vendor Budibase
Product budibase
Weakness CWE-918 · SSRF
Published May 27, 2026
Last update May 27, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 27, 2026 Record updated

Related vulnerabilities

04Related CVE