CVE-2026-48146: Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection

June 12, 2026

The OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts (line 59) uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint.

A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data.

References

github.com/Budibase/budibase/security/advisories/GHSA-g6qx-g4pr-92v7
github.com/advisories/GHSA-g6qx-g4pr-92v7
nvd.nist.gov/vuln/detail/CVE-2026-48146

Code Behaviors & Features

Detect and mitigate CVE-2026-48146 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →