CVE-2026-48153: Server-Side Request Forgery in Budibase OAuth2 SDK
Vulnerability ID: CVE-2026-48153
CVSS Score: 8.5
Published: 2026-06-22
CVE-2026-48153 is a Server-Side Request Forgery (SSRF) vulnerability in the Budibase OAuth2 SDK prior to version 3.39.0. It allows authenticated low-privileged users to bypass outbound network security blacklists and send arbitrary requests to internal subnets or cloud metadata services.
TL;DR
A bypass in the Budibase OAuth2 SDK allows low-privileged users to trigger Server-Side Request Forgery (SSRF) against internal resources, bypassing central IP blacklists.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918
- Attack Vector: Network (AV:N)
- CVSS v3.1: 8.5 (HIGH)
- EPSS Score: 0.00174
- EPSS Percentile: 7.04%
- Exploit Status: poc
- KEV Status: not listed
Affected Systems
- Budibase < 3.39.0
-
budibase: < 3.39.0 (Fixed in:
3.39.0)
Mitigation Strategies
- Upgrade Budibase to version 3.39.0 or higher
- Implement network egress filtering to restrict container access to loopback and cloud metadata endpoints
- Audit OAuth2 datasource configurations for internal IP addresses
Remediation Steps:
- Pull the latest Budibase container image (version >= 3.39.0)
- Redeploy the application service
- Configure container network security groups or iptables to block egress to 169.254.169.254 and private subnets if not required
- Restrict the assignment of the builder role to trusted users
References
Read the full report for CVE-2026-48153 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)