{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31818", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T17:41:56.076Z", "datePublished": "2026-04-03T15:41:13.955Z", "dateUpdated": "2026-04-03T20:04:33.012Z"}, "containers": {"cna": {"title": "Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1188", "lang": "en", "description": "CWE-1188: Insecure Default Initialization of Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45"}, {"name": "https://github.com/Budibase/budibase/pull/18236", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/pull/18236"}, {"name": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732"}, {"name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.33.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:41:13.955Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4."}], "source": {"advisory": "GHSA-7r9j-r86q-7g45", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T20:04:22.287596Z", "id": "CVE-2026-31818", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:04:33.012Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31818", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T20:04:22.287596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T20:04:28.809Z"}}], "cna": {"title": "Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist", "source": {"advisory": "GHSA-7r9j-r86q-7g45", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.33.4"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/pull/18236", "name": "https://github.com/Budibase/budibase/pull/18236", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732", "name": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "name": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188: Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:41:13.955Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31818", "state": "PUBLISHED", "dateUpdated": "2026-04-03T20:04:33.012Z", "dateReserved": "2026-03-09T17:41:56.076Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:41:13.955Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4."}], "id": "CVE-2026-31818", "lastModified": "2026-04-03T16:16:39.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:39.800", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732"}, {"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/pull/18236"}, {"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}, {"lang": "en", "value": "CWE-1188"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.33.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-03T19:21:00.586065+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to version 3.33.4 or later to apply the official patch", "If an upgrade cannot be performed immediately, set the BLACKLIST_IPS environment variable to a list of allowed IP ranges to re\u2011enable SSRF protection", "If environment variables cannot be configured, disable the REST connector or restrict its use to trusted users only", "Verify that no other vulnerable components remain in the deployment"], "summary": {"action": "Apply Patch", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Any installation of Budibase older than version 3.33.4 is affected. The vulnerability resides in the REST connector component of the platform, regardless of deployment method, because the default configuration does not assign the BLACKLIST_IPS variable.", "description_and_impact": "The Budibase low\u2011code platform allows a server\u2011side request forgery through its REST datasource connector when the environment variable controlling IP blacklisting is unset. This removes the protection layer and permits an attacker to cause the server to make arbitrary outbound HTTP requests. The weakness is identified as CWE\u2011918 and CWE\u20111188, meaning an attacker can force the application to reach internal or external resources that should be inaccessible, potentially exposing sensitive information or enabling lateral movement.", "risk_and_exploitability": "The CVSS score is 9.6, indicating critical severity. There is no EPSS value or KEV listing, but the lack of active protection makes exploitation straightforward once the attacker can invoke the REST connector, typically via authenticated or unauthenticated user access. The attack path relies on constructing a request to the connector with a target URL; with the blacklist check bypassed, the request proceeds unfiltered. The risk remains high until the patch or a workaround is applied."}}}}, "created": "2026-04-03T21:13:01.821491+00:00", "updated": "2026-04-03T21:15:14.320198+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}