Budibase - CraftedSignal Threat Feed

Budibase Multiple Vulnerabilities

hello@craftedsignal.io — Thu, 21 May 2026 11:34:07 +0000

Multiple vulnerabilities have been identified within Budibase that could allow an attacker to perform various malicious activities. These include gaining administrative privileges, circumventing existing security measures, executing Cross-Site Scripting (XSS) attacks, manipulating sensitive data, and disclosing confidential information. The specifics of the vulnerabilities, such as CVE IDs or detailed technical descriptions, are not provided in the source document, making it difficult to assess the exact attack vectors and impact without further information. However, the potential for privilege escalation, data manipulation, and XSS attacks makes this a critical issue for organizations utilizing Budibase.

Attack Chain

Attacker identifies a vulnerable Budibase instance accessible over the network.
Attacker exploits a vulnerability (e.g., authentication bypass) to gain unauthorized access.
Attacker leverages gained privileges to escalate to administrator level.
Attacker bypasses security controls to inject malicious code or scripts.
Attacker executes Cross-Site Scripting (XSS) attacks to compromise user sessions.
Attacker manipulates data within the Budibase application, potentially altering critical business information.
Attacker exfiltrates sensitive or confidential information accessible through Budibase.
Attacker maintains persistent access for future malicious activities.

Impact

Successful exploitation of these vulnerabilities could lead to a range of adverse outcomes, including unauthorized access to sensitive data, modification of critical business information, and compromise of user accounts. The extent of the impact would depend on the specific vulnerabilities exploited and the scope of data and functionality accessible through the Budibase application. Without further details, it is challenging to estimate the precise number of potential victims or affected sectors.

Recommendation

Deploy the generic XSS detection rule to identify potential cross-site scripting attacks against Budibase applications.
Monitor Budibase logs (if available) for suspicious activity, and investigate any anomalies related to authentication or authorization.
Implement the generic privilege escalation detection rule to catch attempts to gain admin privileges.

Budibase Security Bypass Vulnerability

hello@craftedsignal.io — Mon, 18 May 2026 10:34:53 +0000

A security vulnerability exists within Budibase that could allow an authenticated remote attacker to bypass security precautions and manipulate data. The vulnerability's specifics are not detailed in this brief but the core issue leads to unauthorized data manipulation within the Budibase application. Defenders should apply any patches as soon as possible, and investigate any unexpected data modifications.

Attack Chain

The attacker authenticates to the Budibase application with valid credentials.
The attacker leverages an unspecified vulnerability to bypass access controls.
The attacker crafts a malicious request to access restricted data.
The vulnerable component processes the request without proper authorization checks.
The attacker modifies sensitive data within the Budibase application.
The attacker validates successful data manipulation through the Budibase user interface or API.

Impact

Successful exploitation of this vulnerability allows an attacker to bypass intended security controls and manipulate sensitive data within the Budibase application. This could lead to data corruption, unauthorized disclosure of confidential information, or disruption of business processes that rely on the integrity of the data stored within Budibase.

Recommendation

Apply the latest security patches and updates provided by Budibase to remediate the security bypass vulnerability.
Monitor Budibase application logs for suspicious activity, particularly related to data modification requests.
Implement strict access control policies within Budibase and regularly review user permissions.

Budibase REST Datasource SSRF via HTTP Redirect Bypass (CVE-2026-45715)

hello@craftedsignal.io — Fri, 15 May 2026 17:54:56 +0000

Budibase is susceptible to a server-side request forgery (SSRF) vulnerability within its REST datasource integration. This flaw allows an authenticated "Builder" user to bypass the built-in IP blacklist and access internal network resources. The vulnerability stems from the _req() method in packages/server/src/integrations/rest.ts not re-checking the IP blacklist after an HTTP redirect, an oversight previously addressed in the automation steps (fetchWithBlacklist in packages/server/src/automations/steps/utils.ts). By setting up an attacker-controlled server to redirect requests to internal services or cloud metadata endpoints, an attacker can steal sensitive information. This issue was confirmed on Budibase v3.34.6, with a fix released in version 3.38.1. This poses a significant risk to cloud environments where Budibase instances are deployed, as it can lead to credential theft and unauthorized access to internal resources.

Attack Chain

The attacker sets up a redirect server (e.g., using Python's http.server) on a publicly accessible IP address, configured to redirect to an internal service or cloud metadata endpoint.
An authenticated "Builder" user in Budibase creates a REST datasource, configuring it to point to the attacker's redirect server.
The Builder initiates a query using the newly created REST datasource. The request includes the attacker's server URL in the path field of the query configuration.
Budibase's _req() method in packages/server/src/integrations/rest.ts performs an initial IP blacklist check on the attacker's server URL. Because the attacker's server is public, this check passes.
The fetch() function follows the HTTP redirect (301/302/307) to the internal target specified by the attacker's server (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/). Critically, this redirect is NOT re-checked against the IP blacklist.
The request is sent to the internal target, bypassing the intended security control.
The internal target (e.g., cloud metadata service) responds with sensitive information.
Budibase receives the response from the internal target and displays it to the Builder user, effectively leaking sensitive information like cloud IAM credentials or allowing access to internal services.

Impact

The vulnerability allows attackers to bypass the IP blacklist and access internal services, leading to potential data breaches. On cloud instances, attackers can steal IAM credentials from metadata endpoints like 169.254.169.254. Successful exploitation enables access to internal services such as CouchDB (:4005), Redis (:6379), and MinIO (:4004). This SSRF vulnerability was previously fixed in automation steps (commits 6cfa3bcca3, e7d47625be) but not in the REST datasource integration, highlighting a critical oversight.

Recommendation

Upgrade Budibase to version 3.38.1 or later to patch CVE-2026-45715.
Deploy the Sigma rule "Detect Budibase SSRF via REST Datasource to Metadata Endpoint" to detect exploitation attempts targeting cloud metadata endpoints.
Deploy the Sigma rule "Detect Budibase SSRF via REST Datasource Redirect" to detect exploitation attempts redirecting to internal services.
Review and audit existing REST datasource configurations for any suspicious URLs that may point to external or unexpected internal targets.