https://feed.craftedsignal.io/tags/budibase/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 04 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-budibase-ssrf/Sat, 04 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-budibase-ssrf/A critical Server-Side Request Forgery (SSRF) vulnerability in Budibase's REST datasource connector allows attackers with Builder privileges to exfiltrate sensitive data from internal network services due to a missing default IP blacklist.A critical Server-Side Request Forgery (SSRF) vulnerability exists in Budibase version 3.30.6, affecting self-hosted instances that do not explicitly configure the BLACKLIST_IPS environment variable. The vulnerability resides within the REST datasource connector and the backend-core blacklist module. Due to the absence of a default IP blacklist, the isBlacklisted() function in packages/backend-core/src/blacklist/blacklist.ts unconditionally returns false, bypassing SSRF protection. This allows users with Builder privileges or QUERY WRITE permissions to create malicious REST datasources, query internal services, and exfiltrate sensitive data, including CouchDB credentials, application data, and internal service metadata. This vulnerability impacts confidentiality, integrity, and availability, potentially leading to complete instance takeover.

Attack Chain

1. An attacker with Builder privileges logs into the Budibase application.
2. The attacker creates a new REST datasource via POST /api/datasources, configuring it to target an internal service like http://couchdb-service:5984.
3. The Budibase server, specifically the packages/server/src/integrations/rest.ts component, evaluates the URL against the blacklist. Due to the empty BLACKLIST_IPS, the isBlacklisted() function returns false.
4. The REST integration proceeds with the request using the fetch API, sending the request to the specified internal service.
5. The internal service (e.g., CouchDB) responds with data.
6. The attacker creates a query via POST /api/queries that uses the malicious REST datasource.
7. The attacker executes the query via POST /api/v2/queries/:id, triggering a request to the internal service.
8. The response from the internal service, containing sensitive data like database credentials or application data, is returned to the attacker, enabling data exfiltration or further exploitation.

Impact

Successful exploitation allows attackers to read CouchDB databases, including user credentials (bcrypt password hashes) and platform configurations. They can also modify user records, create new admin accounts, alter application data, or delete databases. The vulnerability enables resource exhaustion, database destruction, and service disruption. The vulnerability crosses the security boundary between the Budibase application layer and the infrastructure layer, granting access to CouchDB, MinIO, Redis, and other internal services.

Recommendation

• Immediately set the BLACKLIST_IPS environment variable in your Budibase deployment to include at least 127.0.0.1, private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and cloud metadata endpoints to mitigate the SSRF vulnerability.
• Restrict BUILDER role access to only trusted users. Consider using the principle of least privilege for application-level permissions.
• Deploy the Sigma rule “Detect Budibase REST Datasource Creation Targeting Internal IPs” to your SIEM and tune for your environment to detect potential exploitation attempts.
• If you have unpatched instances of Budibase and have granted QUERY WRITE permissions widely, immediately audit and revoke those permissions from untrusted users.
• Monitor webserver logs for unusual requests originating from the Budibase application server to internal IP addresses or services, particularly those used by CouchDB, Redis, or MinIO, to identify potential SSRF attempts.

]]>criticaladvisoryssrfbudibasevulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-budibase-cmd-injection/Sat, 04 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-budibase-cmd-injection/A command injection vulnerability exists in Budibase's bash automation step due to insufficient sanitization, allowing attackers with automation modification access to inject arbitrary shell commands, leading to remote code execution.A command injection vulnerability has been identified in Budibase versions prior to 3.33.4, specifically within the bash automation step located in packages/server/src/automations/steps/bash.ts. This flaw allows an attacker with permissions to create or modify automation workflows to inject arbitrary shell commands. The vulnerability stems from the usage of execSync to execute user-supplied commands without adequate sanitization or validation. Input is processed through processStringSync, enabling template interpolation that can be exploited for command injection. Successful exploitation could lead to remote code execution, complete system compromise, data exfiltration, and lateral movement within the affected infrastructure. Defenders should prioritize patching or implementing mitigations to prevent exploitation.

Attack Chain

1. An attacker gains access to the Budibase platform with the ability to create or modify automation workflows.
2. The attacker crafts a malicious payload containing shell commands embedded within template syntax (e.g., $(rm -rf /), ; malicious-command, | malicious-command).
3. The attacker injects the malicious payload into the inputs.code field of a bash automation step.
4. The processStringSync function processes the user-supplied input, interpolating the template syntax and generating a command string.
5. The execSync function executes the crafted command string without proper sanitization.
6. The injected shell commands execute on the server with the privileges of the Budibase application.
7. The attacker achieves remote code execution, potentially gaining control of the server.
8. The attacker can then perform actions such as data exfiltration, lateral movement, or system compromise.

Impact

Successful exploitation of this vulnerability can lead to severe consequences, including remote code execution (RCE) on the Budibase server. This could result in complete system compromise, allowing attackers to steal sensitive data, modify system configurations, or use the compromised system as a pivot point for further attacks within the network. While the exact number of affected organizations is unknown, any Budibase instance running a version prior to 3.33.4 is potentially vulnerable.

Recommendation

• Immediately disable the bash automation step in production environments to prevent further exploitation.
• Upgrade Budibase to version 3.33.4 or later, where this vulnerability is addressed.
• Implement the command sanitization and validation techniques outlined in the provided example fix.
• If upgrading is not immediately feasible, implement a whitelist of allowed commands to restrict the functionality of the bash automation step.
• Enable and review Budibase application logs for any unusual or suspicious command execution patterns (reference: Overview section).

]]>highadvisorycommand-injectionrcebudibasehttps://feed.craftedsignal.io/briefs/2026-04-budibase-rce/Fri, 03 Apr 2026 16:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-budibase-rce/Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.Budibase, an open-source low-code platform, is vulnerable to remote code execution (RCE) in versions prior to 3.33.4. This vulnerability, identified as CVE-2026-35216, allows an unauthenticated attacker to execute arbitrary commands on the Budibase server. The attack involves leveraging the public webhook endpoint to trigger an automation containing a Bash step. Due to the lack of authentication, malicious actors can directly interact with the webhook to initiate the execution. The process runs as root within the container, increasing the severity of the impact. Budibase patched this vulnerability in version 3.33.4. Defenders must upgrade to the latest version to mitigate this threat.

Attack Chain

1. The attacker identifies a Budibase instance running a version prior to 3.33.4.
2. The attacker locates a public webhook endpoint exposed by the Budibase instance.
3. The attacker crafts a malicious HTTP request targeting the webhook endpoint.
4. The crafted request triggers a pre-configured automation within Budibase.
5. The automation contains a Bash step that executes attacker-controlled commands.
6. The Bash script executes as root within the container.
7. The attacker gains control of the Budibase server.

Impact

Successful exploitation of CVE-2026-35216 allows an unauthenticated attacker to achieve remote code execution (RCE) on the affected Budibase server. Since the process executes as root within the container, the attacker gains complete control over the Budibase instance. This can lead to data breaches, service disruption, or further lateral movement within the network. Organizations using vulnerable Budibase versions are at high risk of compromise.

Recommendation

• Upgrade Budibase to version 3.33.4 or later to patch CVE-2026-35216.
• Monitor web server logs for suspicious POST requests to webhook endpoints associated with Budibase to detect exploitation attempts.
• Deploy the Sigma rule provided to detect the execution of bash commands in automations triggered by webhooks.

]]>criticaladvisoryCVE-2026-35216budibasercewebhookhttps://feed.craftedsignal.io/briefs/2026-04-budibase-xss/Fri, 03 Apr 2026 16:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-budibase-xss/A stored cross-site scripting (XSS) vulnerability in Budibase versions prior to 3.32.5 allows authenticated users with Builder access to inject malicious HTML payloads into entity names, leading to potential session cookie theft and account takeover when other Builder users open the Command Palette.Budibase, an open-source low-code platform, is vulnerable to a stored cross-site scripting (XSS) attack. Prior to version 3.32.5, the Builder Command Palette renders entity names (tables, views, queries, automations) unsanitized, using Svelte’s {@html} directive. This allows an attacker with Builder access to inject arbitrary HTML into the names of database tables, views, queries, or automations. When a Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the injected HTML payload is executed within their browser context. This execution can be leveraged to steal session cookies, leading to full account takeover. The vulnerability, identified as CVE-2026-35218, was patched in Budibase version 3.32.5. Defenders should prioritize upgrading to the patched version.

Attack Chain

1. An attacker authenticates to a Budibase instance with Builder access.
2. The attacker creates or modifies a database table.
3. The attacker injects a malicious HTML payload (e.g., <img src=x onerror=alert(document.domain)>) into the table name via the Budibase Builder interface.
4. The attacker saves the modified table.
5. Another authenticated user with Builder access in the same workspace opens the Command Palette (Ctrl+K).
6. The Command Palette renders the table name containing the malicious HTML.
7. The user’s browser executes the injected HTML, triggering the onerror event and executing JavaScript.
8. The JavaScript steals the user’s session cookie and sends it to an attacker-controlled server.
9. The attacker uses the stolen session cookie to impersonate the victim user and gain full account access.

Impact

Successful exploitation of this vulnerability can lead to the theft of sensitive user session cookies, allowing an attacker to impersonate legitimate users with Builder access. This can result in unauthorized modification of Budibase applications, exfiltration of sensitive data stored within Budibase, and further compromise of systems integrated with Budibase. The severity is high due to the ease of exploitation for authenticated users and the potential for complete account takeover.

Recommendation

• Upgrade Budibase to version 3.32.5 or later to remediate CVE-2026-35218.
• Implement the Sigma rule Budibase_Suspicious_Command_Palette_HTML to detect potential exploitation attempts by monitoring HTTP activity related to the Command Palette.
• Enable webserver logging to collect the data required by the Sigma rule Budibase_Suspicious_Command_Palette_HTML.

]]>highadvisorybudibasexsscve-2026-35218web-applicationhttps://feed.craftedsignal.io/briefs/2024-05-budibase-traversal/Fri, 03 Apr 2026 16:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-budibase-traversal/A path traversal vulnerability exists in Budibase versions prior to 3.33.4, allowing attackers with Global Builder privileges to delete arbitrary directories and write arbitrary files via crafted plugin uploads.Budibase, an open-source low-code platform, is vulnerable to a path traversal attack in versions prior to 3.33.4. This flaw resides in the plugin file upload endpoint (POST /api/plugin/upload), where the user-supplied filename is passed unsanitized to createTempFolder(). An attacker with Global Builder privileges can exploit this by crafting a multipart upload containing “../” sequences in the filename. This allows them to manipulate file paths, leading to arbitrary directory deletion via rmSync and arbitrary file write via tarball extraction. The attacker can write files to any filesystem path accessible by the Node.js process running Budibase. This vulnerability has been patched in version 3.33.4, and organizations using older versions are at risk.

Attack Chain

1. The attacker gains Global Builder privileges within a vulnerable Budibase instance (version < 3.33.4).
2. The attacker crafts a multipart upload request targeting the /api/plugin/upload endpoint (POST request).
3. Within the multipart form data, the attacker includes a filename parameter.
4. The filename parameter contains path traversal sequences such as “../” to manipulate the file path.
5. The Budibase application passes the unsanitized filename to the createTempFolder() function.
6. The manipulated path is then used in subsequent file system operations, such as rmSync (for deleting directories) and tarball extraction.
7. The attacker leverages rmSync with the manipulated path to delete arbitrary directories on the server.
8. Alternatively, the attacker leverages tarball extraction to write arbitrary files to arbitrary locations on the server, leading to potential code execution or data compromise.

Impact

Successful exploitation of this vulnerability allows an attacker with Global Builder privileges to perform arbitrary file system operations on the Budibase server. This includes the ability to delete arbitrary directories, potentially causing denial of service, and write arbitrary files, potentially leading to remote code execution. The impact is significant as it could allow for complete system compromise if the attacker can overwrite critical system files or deploy malicious code. This is especially dangerous for organizations relying on Budibase for critical business applications.

Recommendation

• Immediately upgrade Budibase to version 3.33.4 or later to patch the CVE-2026-35214 vulnerability.
• Monitor web server logs for POST requests to the /api/plugin/upload endpoint containing filenames with “../” sequences using the Sigma rule provided.
• Implement strict access control policies to limit the number of users with Global Builder privileges within Budibase.

]]>criticaladvisorypath-traversalvulnerabilitybudibase