{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/budibase/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Budibase"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","defense-evasion","execution","impact","discovery","cloud"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified within Budibase that could allow an attacker to perform various malicious activities. These include gaining administrative privileges, circumventing existing security measures, executing Cross-Site Scripting (XSS) attacks, manipulating sensitive data, and disclosing confidential information. The specifics of the vulnerabilities, such as CVE IDs or detailed technical descriptions, are not provided in the source document, making it difficult to assess the exact attack vectors and impact without further information. However, the potential for privilege escalation, data manipulation, and XSS attacks makes this a critical issue for organizations utilizing Budibase.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Budibase instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability (e.g., authentication bypass) to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eAttacker leverages gained privileges to escalate to administrator level.\u003c/li\u003e\n\u003cli\u003eAttacker bypasses security controls to inject malicious code or scripts.\u003c/li\u003e\n\u003cli\u003eAttacker executes Cross-Site Scripting (XSS) attacks to compromise user sessions.\u003c/li\u003e\n\u003cli\u003eAttacker manipulates data within the Budibase application, potentially altering critical business information.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive or confidential information accessible through Budibase.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access for future malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to a range of adverse outcomes, including unauthorized access to sensitive data, modification of critical business information, and compromise of user accounts. The extent of the impact would depend on the specific vulnerabilities exploited and the scope of data and functionality accessible through the Budibase application. Without further details, it is challenging to estimate the precise number of potential victims or affected sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the generic XSS detection rule to identify potential cross-site scripting attacks against Budibase applications.\u003c/li\u003e\n\u003cli\u003eMonitor Budibase logs (if available) for suspicious activity, and investigate any anomalies related to authentication or authorization.\u003c/li\u003e\n\u003cli\u003eImplement the generic privilege escalation detection rule to catch attempts to gain admin privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T11:34:07Z","date_published":"2026-05-21T11:34:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-budibase-multiple-vulnerabilities/","summary":"Multiple vulnerabilities in Budibase could be exploited by an attacker to gain administrative privileges, bypass security measures, perform cross-site scripting attacks, manipulate data, or disclose confidential information.","title":"Budibase Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-budibase-multiple-vulnerabilities/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Budibase"],"_cs_severities":["high"],"_cs_tags":["security-bypass","data-manipulation"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eA security vulnerability exists within Budibase that could allow an authenticated remote attacker to bypass security precautions and manipulate data. The vulnerability's specifics are not detailed in this brief but the core issue leads to unauthorized data manipulation within the Budibase application. Defenders should apply any patches as soon as possible, and investigate any unexpected data modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Budibase application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an unspecified vulnerability to bypass access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to access restricted data.\u003c/li\u003e\n\u003cli\u003eThe vulnerable component processes the request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies sensitive data within the Budibase application.\u003c/li\u003e\n\u003cli\u003eThe attacker validates successful data manipulation through the Budibase user interface or API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to bypass intended security controls and manipulate sensitive data within the Budibase application. This could lead to data corruption, unauthorized disclosure of confidential information, or disruption of business processes that rely on the integrity of the data stored within Budibase.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches and updates provided by Budibase to remediate the security bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Budibase application logs for suspicious activity, particularly related to data modification requests.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies within Budibase and regularly review user permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T10:34:53Z","date_published":"2026-05-18T10:34:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-budibase-security-bypass/","summary":"An authenticated remote attacker can exploit a vulnerability in Budibase to bypass security measures and manipulate data.","title":"Budibase Security Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-budibase-security-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@budibase/server (\u003c 3.38.1)","Budibase"],"_cs_severities":["high"],"_cs_tags":["ssrf","budibase","cve-2026-45715"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eBudibase is susceptible to a server-side request forgery (SSRF) vulnerability within its REST datasource integration. This flaw allows an authenticated \u0026quot;Builder\u0026quot; user to bypass the built-in IP blacklist and access internal network resources. The vulnerability stems from the \u003ccode\u003e_req()\u003c/code\u003e method in \u003ccode\u003epackages/server/src/integrations/rest.ts\u003c/code\u003e not re-checking the IP blacklist after an HTTP redirect, an oversight previously addressed in the automation steps (\u003ccode\u003efetchWithBlacklist\u003c/code\u003e in \u003ccode\u003epackages/server/src/automations/steps/utils.ts\u003c/code\u003e). By setting up an attacker-controlled server to redirect requests to internal services or cloud metadata endpoints, an attacker can steal sensitive information. This issue was confirmed on Budibase v3.34.6, with a fix released in version 3.38.1. This poses a significant risk to cloud environments where Budibase instances are deployed, as it can lead to credential theft and unauthorized access to internal resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sets up a redirect server (e.g., using Python's \u003ccode\u003ehttp.server\u003c/code\u003e) on a publicly accessible IP address, configured to redirect to an internal service or cloud metadata endpoint.\u003c/li\u003e\n\u003cli\u003eAn authenticated \u0026quot;Builder\u0026quot; user in Budibase creates a REST datasource, configuring it to point to the attacker's redirect server.\u003c/li\u003e\n\u003cli\u003eThe Builder initiates a query using the newly created REST datasource. The request includes the attacker's server URL in the \u003ccode\u003epath\u003c/code\u003e field of the query configuration.\u003c/li\u003e\n\u003cli\u003eBudibase's \u003ccode\u003e_req()\u003c/code\u003e method in \u003ccode\u003epackages/server/src/integrations/rest.ts\u003c/code\u003e performs an initial IP blacklist check on the attacker's server URL. Because the attacker's server is public, this check passes.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch()\u003c/code\u003e function follows the HTTP redirect (301/302/307) to the internal target specified by the attacker's server (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e). Critically, this redirect is NOT re-checked against the IP blacklist.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the internal target, bypassing the intended security control.\u003c/li\u003e\n\u003cli\u003eThe internal target (e.g., cloud metadata service) responds with sensitive information.\u003c/li\u003e\n\u003cli\u003eBudibase receives the response from the internal target and displays it to the Builder user, effectively leaking sensitive information like cloud IAM credentials or allowing access to internal services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to bypass the IP blacklist and access internal services, leading to potential data breaches. On cloud instances, attackers can steal IAM credentials from metadata endpoints like \u003ccode\u003e169.254.169.254\u003c/code\u003e. Successful exploitation enables access to internal services such as CouchDB (\u003ccode\u003e:4005\u003c/code\u003e), Redis (\u003ccode\u003e:6379\u003c/code\u003e), and MinIO (\u003ccode\u003e:4004\u003c/code\u003e). This SSRF vulnerability was previously fixed in automation steps (commits \u003ccode\u003e6cfa3bcca3\u003c/code\u003e, \u003ccode\u003ee7d47625be\u003c/code\u003e) but not in the REST datasource integration, highlighting a critical oversight.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.38.1 or later to patch CVE-2026-45715.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Budibase SSRF via REST Datasource to Metadata Endpoint\u0026quot; to detect exploitation attempts targeting cloud metadata endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Budibase SSRF via REST Datasource Redirect\u0026quot; to detect exploitation attempts redirecting to internal services.\u003c/li\u003e\n\u003cli\u003eReview and audit existing REST datasource configurations for any suspicious URLs that may point to external or unexpected internal targets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T17:54:56Z","date_published":"2026-05-15T17:54:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-budibase-ssrf/","summary":"Budibase is vulnerable to server-side request forgery (SSRF) via HTTP redirects in the REST datasource integration, allowing authenticated Builders to bypass IP blacklists and access internal services.","title":"Budibase REST Datasource SSRF via HTTP Redirect Bypass (CVE-2026-45715)","url":"https://feed.craftedsignal.io/briefs/2026-05-budibase-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Budibase","version":"https://jsonfeed.org/version/1.1"}