CVE-2026-45715: Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration

May 15, 2026

The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. The same vulnerability class was already patched in automation steps (fetchWithBlacklist in packages/server/src/automations/steps/utils.ts) but the REST integration was missed.

References

github.com/Budibase/budibase/releases/tag/3.38.1
github.com/Budibase/budibase/security/advisories/GHSA-fgqv-jh4g-pvg2
github.com/advisories/GHSA-fgqv-jh4g-pvg2
nvd.nist.gov/vuln/detail/CVE-2026-45715

Code Behaviors & Features

Detect and mitigate CVE-2026-45715 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →