CVE-2026-45548: Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

May 15, 2026

An authenticated user with builder permissions can:

Access cloud metadata endpoints (AWS IAM credentials, GCP service tokens, Azure IMDS)
Scan internal network services and ports
Access internal APIs not intended for external access
Exfiltrate data from internal services via the automation response

In Budibase Cloud (SaaS), this could be used to steal cloud provider credentials, potentially leading to full infrastructure compromise.

References

github.com/Budibase/budibase/releases/tag/3.38.4
github.com/Budibase/budibase/security/advisories/GHSA-rpj4-7x2v-wjrf
github.com/advisories/GHSA-rpj4-7x2v-wjrf
nvd.nist.gov/vuln/detail/CVE-2026-45548

Code Behaviors & Features

Detect and mitigate CVE-2026-45548 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →