{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@budibase/server--3.38.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@budibase/server (\u003c 3.38.1)","Budibase"],"_cs_severities":["high"],"_cs_tags":["ssrf","budibase","cve-2026-45715"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eBudibase is susceptible to a server-side request forgery (SSRF) vulnerability within its REST datasource integration. This flaw allows an authenticated \u0026ldquo;Builder\u0026rdquo; user to bypass the built-in IP blacklist and access internal network resources. The vulnerability stems from the \u003ccode\u003e_req()\u003c/code\u003e method in \u003ccode\u003epackages/server/src/integrations/rest.ts\u003c/code\u003e not re-checking the IP blacklist after an HTTP redirect, an oversight previously addressed in the automation steps (\u003ccode\u003efetchWithBlacklist\u003c/code\u003e in \u003ccode\u003epackages/server/src/automations/steps/utils.ts\u003c/code\u003e). By setting up an attacker-controlled server to redirect requests to internal services or cloud metadata endpoints, an attacker can steal sensitive information. This issue was confirmed on Budibase v3.34.6, with a fix released in version 3.38.1. This poses a significant risk to cloud environments where Budibase instances are deployed, as it can lead to credential theft and unauthorized access to internal resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sets up a redirect server (e.g., using Python\u0026rsquo;s \u003ccode\u003ehttp.server\u003c/code\u003e) on a publicly accessible IP address, configured to redirect to an internal service or cloud metadata endpoint.\u003c/li\u003e\n\u003cli\u003eAn authenticated \u0026ldquo;Builder\u0026rdquo; user in Budibase creates a REST datasource, configuring it to point to the attacker\u0026rsquo;s redirect server.\u003c/li\u003e\n\u003cli\u003eThe Builder initiates a query using the newly created REST datasource. The request includes the attacker\u0026rsquo;s server URL in the \u003ccode\u003epath\u003c/code\u003e field of the query configuration.\u003c/li\u003e\n\u003cli\u003eBudibase\u0026rsquo;s \u003ccode\u003e_req()\u003c/code\u003e method in \u003ccode\u003epackages/server/src/integrations/rest.ts\u003c/code\u003e performs an initial IP blacklist check on the attacker\u0026rsquo;s server URL. Because the attacker\u0026rsquo;s server is public, this check passes.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch()\u003c/code\u003e function follows the HTTP redirect (301/302/307) to the internal target specified by the attacker\u0026rsquo;s server (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e). Critically, this redirect is NOT re-checked against the IP blacklist.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the internal target, bypassing the intended security control.\u003c/li\u003e\n\u003cli\u003eThe internal target (e.g., cloud metadata service) responds with sensitive information.\u003c/li\u003e\n\u003cli\u003eBudibase receives the response from the internal target and displays it to the Builder user, effectively leaking sensitive information like cloud IAM credentials or allowing access to internal services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to bypass the IP blacklist and access internal services, leading to potential data breaches. On cloud instances, attackers can steal IAM credentials from metadata endpoints like \u003ccode\u003e169.254.169.254\u003c/code\u003e. Successful exploitation enables access to internal services such as CouchDB (\u003ccode\u003e:4005\u003c/code\u003e), Redis (\u003ccode\u003e:6379\u003c/code\u003e), and MinIO (\u003ccode\u003e:4004\u003c/code\u003e). This SSRF vulnerability was previously fixed in automation steps (commits \u003ccode\u003e6cfa3bcca3\u003c/code\u003e, \u003ccode\u003ee7d47625be\u003c/code\u003e) but not in the REST datasource integration, highlighting a critical oversight.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.38.1 or later to patch CVE-2026-45715.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Budibase SSRF via REST Datasource to Metadata Endpoint\u0026rdquo; to detect exploitation attempts targeting cloud metadata endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Budibase SSRF via REST Datasource Redirect\u0026rdquo; to detect exploitation attempts redirecting to internal services.\u003c/li\u003e\n\u003cli\u003eReview and audit existing REST datasource configurations for any suspicious URLs that may point to external or unexpected internal targets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T17:54:56Z","date_published":"2026-05-15T17:54:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-budibase-ssrf/","summary":"Budibase is vulnerable to server-side request forgery (SSRF) via HTTP redirects in the REST datasource integration, allowing authenticated Builders to bypass IP blacklists and access internal services.","title":"Budibase REST Datasource SSRF via HTTP Redirect Bypass (CVE-2026-45715)","url":"https://feed.craftedsignal.io/briefs/2026-05-budibase-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — @Budibase/Server (\u003c 3.38.1)","version":"https://jsonfeed.org/version/1.1"}